Red Hat Bugzilla – Bug 878583
IPA Trust does not show secondary groups for AD Users for commands like id and getent
Last modified: 2015-09-29 03:12:41 EDT
Description of problem: With IPA Trust environment, AD User secondary group membership is not shown by commands like id and getent. Only the primary (mapped) private user group is shown. Example: On the AD side, "testuser" is a member of "Domain Users" and "testgroup" groups. However, this does not reflect when `id` is run against "testuser": --- [root@ipaserver1 ~]# su - testuser@ad.example.com -sh-4.1$ id uid=238801108(testuser@ad.example.com) gid=238801108(testuser@ad.example.com) groups=238801108(testuser@ad.example.com),1600200004(ad_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 --- The groups exist: --- [root@ipaserver1 ~]# getent group AD\\testgroup testgroup@ad.example.com:*:238801109: [root@ipaserver1 ~]# getent group AD\\'Domain Users' domain users@ad.example.com:*:238800513: --- Version-Release number of selected component (if applicable): sssd-1.9.2-14.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Setup IPA Server 2. Setup AD Server, add 2 groups, add user, add user to 2 new groups 3. ipa-adtrust-install 4. ipa trust-add <addomain> --admin Administrator --password 5. id <aduser@addomain> Actual results: Does not show secondary AD Groups. Expected results: Shows all AD Groups? Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/1666
[root@ibm-x3500m4-01 ~]# ipa trust-add --type=ad adlab.qe --admin Administrator --password Active directory domain administrator's password: ------------------------------------------------- Added Active Directory trust for realm "adlab.qe" ------------------------------------------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@ibm-x3500m4-01 ~]# ipa group-add --desc='adlab.qe users external map' ad_users_external --external ------------------------------- Added group "ad_users_external" ------------------------------- Group name: ad_users_external Description: adlab.qe users external map [root@ibm-x3500m4-01 ~]# ipa group-add --desc="adlabe.qe users" ad_users ---------------------- Added group "ad_users" ---------------------- Group name: ad_users Description: adlabe.qe users GID: 520800004 [root@ibm-x3500m4-01 ~]# ipa group-add-member ad_users_external --external 'ADLAB\Domain Users' [member user]: [member group]: Group name: ad_users_external Description: adlab.qe users external map External member: S-1-5-21-3655990580-1375374850-1633065477-513 ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# ipa group-add-member ad_users --groups ad_users_external Group name: ad_users Description: adlabe.qe users GID: 520800004 Member groups: ad_users_external ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# id adtestuser1@adlab.qe uid=1979001178(adtestuser1@adlab.qe) gid=1979001178(adtestuser1@adlab.qe) groups=1979001178(adtestuser1@adlab.qe) [root@ibm-x3500m4-01 ~]# id adtestuser2@adlab.qe uid=1979001185(adtestuser2@adlab.qe) gid=1979001185(adtestuser2@adlab.qe) groups=1979001185(adtestuser2@adlab.qe) [root@ibm-x3500m4-01 ~]# su - adtestuser1@adlab.qe su: warning: cannot change directory to /home/adlab.qe/adtestuser1: No such file or directory -sh-4.1$ id uid=1979001178(adtestuser1@adlab.qe) gid=1979001178(adtestuser1@adlab.qe) groups=1979001178(adtestuser1@adlab.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout [root@ibm-x3500m4-01 ~]# su - adtestuser2@adlab.qe su: warning: cannot change directory to /home/adlab.qe/adtestuser2: No such file or directory -sh-4.1$ id uid=1979001185(adtestuser2@adlab.qe) gid=1979001185(adtestuser2@adlab.qe) groups=1979001185(adtestuser2@adlab.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout [root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup1 adgroup1@adlab.qe:*:1979001150: [root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup2 adgroup2@adlab.qe:*:1979001151: [root@ibm-x3500m4-01 ~]# kinit adtestuser2@ADLAB.QE Password for adtestuser2@ADLAB.QE: [root@ibm-x3500m4-01 ~]# ssh -K -l "adtestuser2@adlab.qe" `hostname` ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is reserved by sgoveas@redhat.com. To return this system early. You can run the command: return2beaker.sh Ensure you have your logs off the system before returning to Beaker To extend your reservation time. You can run the command: extendtesttime.sh This is an interactive script. You will be prompted for how many hours you would like to extend the reservation. You should verify the watchdog was updated succesfully after you extend your reservation. https://beaker.engineering.redhat.com/recipes/768048 For ssh, kvm, serial and power control operations please look here: https://beaker.engineering.redhat.com/view/ibm-x3500m4-01.rhts.eng.bos.redhat.com Beaker Test information: HOSTNAME=ibm-x3500m4-01.rhts.eng.bos.redhat.com JOBID=365230 RECIPEID=768048 RESULT_SERVER=127.0.0.1:7093 DISTRO=RHEL6.4-20130109.1 ARCHITECTURE=x86_64 Job Whiteboard: RHEL 6.4 latest Recipe Whiteboard: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** Could not chdir to home directory /home/adlab.qe/adtestuser2: No such file or directory -sh-4.1$ id uid=1979001185(adtestuser2@adlab.qe) gid=1979001185(adtestuser2@adlab.qe) groups=1979001185(adtestuser2@adlab.qe),520800004(ad_users),1979000513(domain users@adlab.qe),1979001151(adgroup2@adlab.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout [root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup1 adgroup1@adlab.qe:*:1979001150:adtestuser1@adlab.qe [root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup2 adgroup2@adlab.qe:*:1979001151:adtestuser2@adlab.qe,adtestuser1@adlab.qe [root@ibm-x3500m4-01 ~]# rpm -qa | grep sssd sssd-client-1.9.2-82.el6.x86_64 sssd-1.9.2-82.el6.x86_64 [root@ibm-x3500m4-01 ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-24.el6.x86_64 ipa-server-3.0.0-24.el6.x86_64 ipa-server-trust-ad-3.0.0-24.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html