Bug 878583 - IPA Trust does not show secondary groups for AD Users for commands like id and getent
Summary: IPA Trust does not show secondary groups for AD Users for commands like id an...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 895654
TreeView+ depends on / blocked
 
Reported: 2012-11-20 17:25 UTC by Scott Poore
Modified: 2020-05-02 17:07 UTC (History)
6 users (show)

Fixed In Version: sssd-1.9.2-66.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:41:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2708 0 None closed IPA Trust does not show secondary groups for AD Users for commands like id and getent 2020-08-26 22:46:45 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Scott Poore 2012-11-20 17:25:58 UTC
Description of problem:
With IPA Trust environment, AD User secondary group membership is not shown by commands like id and getent.  Only the primary (mapped) private user group is shown.

Example:

On the AD side, "testuser" is a member of "Domain Users" and "testgroup" groups. However, this does not reflect when `id` is run against "testuser":

---
[root@ipaserver1 ~]# su - testuser@ad.example.com
-sh-4.1$ id
uid=238801108(testuser@ad.example.com) gid=238801108(testuser@ad.example.com) groups=238801108(testuser@ad.example.com),1600200004(ad_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
---

The groups exist:

---
[root@ipaserver1 ~]# getent group AD\\testgroup
testgroup@ad.example.com:*:238801109:
[root@ipaserver1 ~]# getent group AD\\'Domain Users'
domain users@ad.example.com:*:238800513:
---

Version-Release number of selected component (if applicable):
sssd-1.9.2-14.el6.x86_64

How reproducible:
always


Steps to Reproduce:
1.  Setup IPA Server
2.  Setup AD Server, add 2 groups, add user, add user to 2 new groups
3.  ipa-adtrust-install
4.  ipa trust-add <addomain> --admin Administrator --password
5.  id <aduser@addomain>
  
Actual results:
Does not show secondary AD Groups.  

Expected results:
Shows all AD Groups?


Additional info:

Comment 2 Pavel Březina 2012-11-23 09:46:52 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1666

Comment 4 Steeve Goveas 2013-01-30 13:37:25 UTC
[root@ibm-x3500m4-01 ~]# ipa trust-add --type=ad adlab.qe --admin Administrator --password
Active directory domain administrator's password:
-------------------------------------------------
Added Active Directory trust for realm "adlab.qe"
-------------------------------------------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
 
[root@ibm-x3500m4-01 ~]# ipa group-add --desc='adlab.qe users external map' ad_users_external --external
-------------------------------
Added group "ad_users_external"
-------------------------------
  Group name: ad_users_external
  Description: adlab.qe users external map
[root@ibm-x3500m4-01 ~]# ipa group-add --desc="adlabe.qe users" ad_users
----------------------
Added group "ad_users"
----------------------
  Group name: ad_users
  Description: adlabe.qe users
  GID: 520800004
[root@ibm-x3500m4-01 ~]# ipa group-add-member ad_users_external --external 'ADLAB\Domain Users'
[member user]:
[member group]:
  Group name: ad_users_external
  Description: adlab.qe users external map
  External member: S-1-5-21-3655990580-1375374850-1633065477-513
-------------------------
Number of members added 1
-------------------------
[root@ibm-x3500m4-01 ~]# ipa group-add-member ad_users --groups ad_users_external
  Group name: ad_users
  Description: adlabe.qe users
  GID: 520800004
  Member groups: ad_users_external
-------------------------
Number of members added 1
-------------------------
 
[root@ibm-x3500m4-01 ~]# id adtestuser1@adlab.qe
uid=1979001178(adtestuser1@adlab.qe) gid=1979001178(adtestuser1@adlab.qe) groups=1979001178(adtestuser1@adlab.qe)
 
[root@ibm-x3500m4-01 ~]# id adtestuser2@adlab.qe
uid=1979001185(adtestuser2@adlab.qe) gid=1979001185(adtestuser2@adlab.qe) groups=1979001185(adtestuser2@adlab.qe)
 
[root@ibm-x3500m4-01 ~]# su - adtestuser1@adlab.qe
su: warning: cannot change directory to /home/adlab.qe/adtestuser1: No such file or directory
-sh-4.1$ id
uid=1979001178(adtestuser1@adlab.qe) gid=1979001178(adtestuser1@adlab.qe) groups=1979001178(adtestuser1@adlab.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout
 
[root@ibm-x3500m4-01 ~]# su - adtestuser2@adlab.qe
su: warning: cannot change directory to /home/adlab.qe/adtestuser2: No such file or directory
-sh-4.1$ id
uid=1979001185(adtestuser2@adlab.qe) gid=1979001185(adtestuser2@adlab.qe) groups=1979001185(adtestuser2@adlab.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout
 
[root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup1
adgroup1@adlab.qe:*:1979001150:
 
[root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup2
adgroup2@adlab.qe:*:1979001151: 

[root@ibm-x3500m4-01 ~]# kinit adtestuser2@ADLAB.QE
Password for adtestuser2@ADLAB.QE:

[root@ibm-x3500m4-01 ~]# ssh -K -l "adtestuser2@adlab.qe" `hostname`
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by sgoveas@redhat.com.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/768048

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/ibm-x3500m4-01.rhts.eng.bos.redhat.com

      Beaker Test information:
                         HOSTNAME=ibm-x3500m4-01.rhts.eng.bos.redhat.com
                            JOBID=365230
                         RECIPEID=768048
                    RESULT_SERVER=127.0.0.1:7093
                           DISTRO=RHEL6.4-20130109.1
                     ARCHITECTURE=x86_64

      Job Whiteboard: RHEL 6.4 latest

      Recipe Whiteboard: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Could not chdir to home directory /home/adlab.qe/adtestuser2: No such file or directory
-sh-4.1$ id
uid=1979001185(adtestuser2@adlab.qe) gid=1979001185(adtestuser2@adlab.qe) groups=1979001185(adtestuser2@adlab.qe),520800004(ad_users),1979000513(domain users@adlab.qe),1979001151(adgroup2@adlab.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout

[root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup1
adgroup1@adlab.qe:*:1979001150:adtestuser1@adlab.qe

[root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup2
adgroup2@adlab.qe:*:1979001151:adtestuser2@adlab.qe,adtestuser1@adlab.qe

[root@ibm-x3500m4-01 ~]# rpm -qa | grep sssd
sssd-client-1.9.2-82.el6.x86_64
sssd-1.9.2-82.el6.x86_64

[root@ibm-x3500m4-01 ~]# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-24.el6.x86_64
ipa-server-3.0.0-24.el6.x86_64
ipa-server-trust-ad-3.0.0-24.el6.x86_64

Comment 5 errata-xmlrpc 2013-02-21 09:41:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.