Bug 894068 - sss_cache doesn't support subdomains
Summary: sss_cache doesn't support subdomains
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-10 16:05 UTC by Jakub Hrozek
Modified: 2020-05-02 17:13 UTC (History)
5 users (show)

Fixed In Version: sssd-1.11.2-18.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 12:31:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2783 0 None None None 2020-05-02 17:13:03 UTC

Description Jakub Hrozek 2013-01-10 16:05:33 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1741

Currently, the sss_cache tool only works for users from "native" domains, not for subdomains. We should fix that.

Comment 1 Jakub Hrozek 2013-01-10 16:10:41 UTC
To reproduce:

Get a setup with IPA and AD in a trust relationship.

Request a user from AD:
getent passwd aduser@ad-domain.com

Run:
sss_cache aduser@ad-domain.com

Actual Result:
No such user found

Expected Result:
The user would be found and invalidated.

Comment 2 Jakub Hrozek 2013-10-04 13:23:24 UTC
Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Steeve Goveas 2013-11-26 09:28:52 UTC
[root@dhcp207-183 ~]# rpm -q sssd ipa-server
sssd-1.11.2-1.el7.x86_64
ipa-server-3.3.3-5.el7.x86_64

[root@dhcp207-183 ~]# ipa trust-add adtest.qe --type ad --admin administrator --password 
Active directory domain administrator's password: 
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@dhcp207-183 ~]# getent passwd aduser2@adtest.qe
aduser2@adtest.qe:*:1148401281:1148401281:ads2 user:/:

[root@dhcp207-183 ~]# sss_cache aduser2@adtest.qe
Usage: sss_cache [-?EUGNSA] [-?|--help] [--usage] [-E|--everything] [-u|--user STRING] [-U|--users] [-g|--group STRING] [-G|--groups] [-n|--netgroup STRING] [-N|--netgroups] [-s|--service STRING]
        [-S|--services] [-a|--autofs-map STRING] [-A|--autofs-maps] [-d|--domain STRING]
Please select at least one object to invalidate

[root@dhcp207-183 ~]# getent passwd adnew1@pune.adtest.qe
adnew1@pune.adtest.qe:*:839001107:839001107:new user:/:

[root@dhcp207-183 ~]# sss_cache -u aduser2@adtest.qe
[root@dhcp207-183 ~]# echo $?
12

[root@dhcp207-183 ~]# sss_cache -u adnew1@pune.adtest.qe
[root@dhcp207-183 ~]# echo $?
12

Comment 6 Steeve Goveas 2014-01-16 07:09:05 UTC
[root@dhcp207-43 ~]# rpm -q sssd
sssd-1.11.2-23.el7.x86_64

[root@dhcp207-43 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-43 ~]# sss_cache -u aduser1@adtest.qe
No cache object matched the specified search

[root@dhcp207-43 ~]# getent passwd aduser1@adtest.qe
aduser1@adtest.qe:*:1148401313:1148401313:ads user:/:

[root@dhcp207-43 ~]# sss_cache -u aduser1@adtest.qe

[root@dhcp207-43 ~]# echo $?
0

[root@dhcp207-43 ~]# sss_cache -u adnew1@pune.adtest.qe
No cache object matched the specified search

[root@dhcp207-43 ~]# getent passwd adnew1@pune.adtest.qe
adnew1@pune.adtest.qe:*:839001107:839001107:new user:/:

[root@dhcp207-43 ~]# sss_cache -u adnew1@pune.adtest.qe

[root@dhcp207-43 ~]# echo $?
0

[root@dhcp207-43 ~]# sss_cache -g adgroup1@adtest.qe
No cache object matched the specified search

[root@dhcp207-43 ~]# getent group adgroup1@adtest.qe
adgroup1@adtest.qe:*:1148401449:

[root@dhcp207-43 ~]# sss_cache -g adgroup1@adtest.qe

[root@dhcp207-43 ~]# echo $?
0

[root@dhcp207-43 ~]# sss_cache -g pune_grp1@pune.adtest.qe
No cache object matched the specified search

[root@dhcp207-43 ~]# getent group pune_grp1@pune.adtest.qe
pune_grp1@pune.adtest.qe:*:839001109:

[root@dhcp207-43 ~]# sss_cache -g pune_grp1@pune.adtest.qe

[root@dhcp207-43 ~]# echo $?
0

Comment 7 Ludek Smid 2014-06-13 12:31:47 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.