894068 – sss_cache doesn't support subdomains

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 894068 - sss_cache doesn't support subdomains

Summary: sss_cache doesn't support subdomains

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-10 16:05 UTC by Jakub Hrozek
Modified:	2020-05-02 17:13 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-1.11.2-18.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:31:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2783	0	None	None	None	2020-05-02 17:13:03 UTC

Description Jakub Hrozek 2013-01-10 16:05:33 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1741

Currently, the sss_cache tool only works for users from "native" domains, not for subdomains. We should fix that.

Comment 1 Jakub Hrozek 2013-01-10 16:10:41 UTC

To reproduce:

Get a setup with IPA and AD in a trust relationship.

Request a user from AD:
getent passwd aduser

Run:
sss_cache aduser

Actual Result:
No such user found

Expected Result:
The user would be found and invalidated.

Comment 2 Jakub Hrozek 2013-10-04 13:23:24 UTC

Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Steeve Goveas 2013-11-26 09:28:52 UTC

[root@dhcp207-183 ~]# rpm -q sssd ipa-server
sssd-1.11.2-1.el7.x86_64
ipa-server-3.3.3-5.el7.x86_64

[root@dhcp207-183 ~]# ipa trust-add adtest.qe --type ad --admin administrator --password 
Active directory domain administrator's password: 
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@dhcp207-183 ~]# getent passwd aduser2
aduser2:*:1148401281:1148401281:ads2 user:/:

[root@dhcp207-183 ~]# sss_cache aduser2
Usage: sss_cache [-?EUGNSA] [-?|--help] [--usage] [-E|--everything] [-u|--user STRING] [-U|--users] [-g|--group STRING] [-G|--groups] [-n|--netgroup STRING] [-N|--netgroups] [-s|--service STRING]
        [-S|--services] [-a|--autofs-map STRING] [-A|--autofs-maps] [-d|--domain STRING]
Please select at least one object to invalidate

[root@dhcp207-183 ~]# getent passwd adnew1.qe
adnew1.qe:*:839001107:839001107:new user:/:

[root@dhcp207-183 ~]# sss_cache -u aduser2
[root@dhcp207-183 ~]# echo $?
12

[root@dhcp207-183 ~]# sss_cache -u adnew1.qe
[root@dhcp207-183 ~]# echo $?
12

Comment 6 Steeve Goveas 2014-01-16 07:09:05 UTC

[root@dhcp207-43 ~]# rpm -q sssd
sssd-1.11.2-23.el7.x86_64

[root@dhcp207-43 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-43 ~]# sss_cache -u aduser1
No cache object matched the specified search

[root@dhcp207-43 ~]# getent passwd aduser1
aduser1:*:1148401313:1148401313:ads user:/:

[root@dhcp207-43 ~]# sss_cache -u aduser1

[root@dhcp207-43 ~]# echo $?
0

[root@dhcp207-43 ~]# sss_cache -u adnew1.qe
No cache object matched the specified search

[root@dhcp207-43 ~]# getent passwd adnew1.qe
adnew1.qe:*:839001107:839001107:new user:/:

[root@dhcp207-43 ~]# sss_cache -u adnew1.qe

[root@dhcp207-43 ~]# echo $?
0

[root@dhcp207-43 ~]# sss_cache -g adgroup1
No cache object matched the specified search

[root@dhcp207-43 ~]# getent group adgroup1
adgroup1:*:1148401449:

[root@dhcp207-43 ~]# sss_cache -g adgroup1

[root@dhcp207-43 ~]# echo $?
0

[root@dhcp207-43 ~]# sss_cache -g pune_grp1.qe
No cache object matched the specified search

[root@dhcp207-43 ~]# getent group pune_grp1.qe
pune_grp1.qe:*:839001109:

[root@dhcp207-43 ~]# sss_cache -g pune_grp1.qe

[root@dhcp207-43 ~]# echo $?
0

Comment 7 Ludek Smid 2014-06-13 12:31:47 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.