Bug 953944 - freeipa 3.2 trusted ad user not listed in external group
Summary: freeipa 3.2 trusted ad user not listed in external group
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-19 15:25 UTC by Scott Poore
Modified: 2020-05-02 17:20 UTC (History)
8 users (show)

Fixed In Version: sssd-1.10.0-3.fc19.beta1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-15 17:29:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2930 0 None closed freeipa 3.2 trusted ad user not listed in external group 2020-05-02 17:20:12 UTC

Description Scott Poore 2013-04-19 15:25:17 UTC 
Description of problem:

In an IPA/AD Trust setup, I cannot see the IPA external group for the AD user.

This is from this test (with slight differences to work from another test):

https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_hbac

[root@f19-1 ~]# ipa group-show --all ad_admins
  dn: cn=ad_admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org
  Group name: ad_admins
  Description: ad.example.org admins
  GID: 1819800007
  Member groups: ad_admins_external
  ipantsecurityidentifier: S-1-5-21-1339028217-3206615778-3561301142-1007
  ipauniqueid: 93ff8042-a886-11e2-a644-0000c0a87abf
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup, ipantgroupattrs

[root@f19-1 ~]# ipa group-show --all ad_admins_external
  dn: cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org
  Group name: ad_admins_external
  Description: ad.example.org  admins external map
  Member of groups: ad_admins
  External member: S-1-5-21-3234163150-1739635155-2110790787-512
  ipauniqueid: 88f8b95c-a886-11e2-8283-0000c0a87abf
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup

[root@f19-1 ~]# wbinfo -s S-1-5-21-3234163150-1739635155-2110790787-512
AD\domain admins 2
[root@f19-1 ~]# wbinfo --group-info "AD\domain admins 2"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group AD\domain admins 2

[root@f19-1 ~]# wbinfo --group-info "AD\domain admins"
AD\domain admins:4294967295:AD\administrator

-sh-4.2$ id
uid=1717600500(administrator.org) gid=1717600500(administrator.org) groups=1717600500(administrator.org),1717600512(domain admins.org),1717600513(domain users.org),1717600518(schema admins.org),1717600519(enterprise admins.org),1717600520(group policy creator owners.org) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


Version-Release number of selected component (if applicable):
sssd-1.10.0-2.fc19.alpha1.x86_64
freeipa-server-3.2.0-0.2.beta1.fc19.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Setup IPA Server
2.  Setup AD Server (2008r2 is what I saw this on)
3.  Setup Trust
4.  ipa group-add --external ext_ad_administrators --desc "AD.TEST Administrators"
5.  ipa group-add-member ext_ad_administrators --external "AD\Domain Admins"
6.  ipa group-add ad_administrators
7.  ipa group-add-member ad_administrators --group ext_ad_administrators
8.  id administrator.org

Actual results:
does not list ad_administrators

Expected results:
should list ad_administrators

Additional info:
Comment 1 Alexander Bokovoy 2013-04-19 15:32:26 UTC 
Scott, to eliminate one possible cause, could you please try building freeipa 3.2.0 on Fedora 18 with Kerberos 1.10 and reproduce the issue there?
Comment 2 Rob Crittenden 2013-04-19 15:48:08 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3579
Comment 3 Jakub Hrozek 2013-04-19 16:43:04 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1888
Comment 4 Scott Poore 2013-04-19 18:17:06 UTC 
rpm with test fix appears to work:

[root@f19-1 sssdtest]# systemctl stop sssd.service

[root@f19-1 sssdtest]# rm -rf /var/lib/sss/{mc,db}/*

[root@f19-1 sssdtest]# systemctl start sssd.service

[root@f19-1 sssdtest]# id Administrator.org
uid=1717600500(administrator.org) gid=1717600500(administrator.org) groups=1717600500(administrator.org)

[root@f19-1 sssdtest]# ipa group-add --external ext_ad_administrators --desc "AD.TEST Administrators"
-----------------------------------
Added group "ext_ad_administrators"
-----------------------------------
  Group name: ext_ad_administrators
  Description: AD.TEST Administrators

[root@f19-1 sssdtest]# ipa group-add-member ext_ad_administrators --external "AD\Domain Admins"
[member user]: 
[member group]: 
  Group name: ext_ad_administrators
  Description: AD.TEST Administrators
  External member: S-1-5-21-3234163150-1739635155-2110790787-512
-------------------------
Number of members added 1
-------------------------

[root@f19-1 sssdtest]# ipa group-add ad_administrators
Description: AD.TEST Administrators
-------------------------------
Added group "ad_administrators"
-------------------------------
  Group name: ad_administrators
  Description: AD.TEST Administrators
  GID: 1819800011

[root@f19-1 sssdtest]# ipa group-add-member ad_administrators --group ext_ad_administrators
  Group name: ad_administrators
  Description: AD.TEST Administrators
  GID: 1819800011
  Member groups: ext_ad_administrators
-------------------------
Number of members added 1
-------------------------

[root@f19-1 sssdtest]# ssh -l Administrator.org f19-1.ipa.example.org
Administrator.org.example.org's password: 
Last login: Fri Apr 19 13:09:18 2013 from f19-1.ipa.example.org

-sh-4.2$ id
uid=1717600500(administrator.org) gid=1717600500(administrator.org) groups=1717600500(administrator.org),1717600512(domain admins.org),1717600513(domain users.org),1717600518(schema admins.org),1717600519(enterprise admins.org),1717600520(group policy creator owners.org),1819800011(ad_administrators) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$
Comment 5 Fedora Update System 2013-05-05 14:45:00 UTC 
sssd-1.10.0-3.fc19.beta1 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sssd-1.10.0-3.fc19.beta1
Comment 6 Fedora Update System 2013-05-05 17:10:23 UTC 
Package sssd-1.10.0-3.fc19.beta1:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.10.0-3.fc19.beta1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7450/sssd-1.10.0-3.fc19.beta1
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-05-07 14:37:28 UTC 
sssd-1.10.0-4.fc19.beta1 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sssd-1.10.0-4.fc19.beta1
Comment 8 Scott Poore 2013-05-10 20:45:13 UTC 
[root@f19-1 log]# ssh -l Administrator.org f19-1.ipa.example.org
Administrator.org.example.org's password: 
Could not chdir to home directory /home/ad.example.org/administrator: No such file or directory

-sh-4.2$ id
uid=1717600500(administrator.org) gid=1717600500(administrator.org) groups=1717600500(administrator.org),1473200004(ad_administrators),1717600512(domain admins.org),1717600513(domain users.org),1717600518(schema admins.org),1717600519(enterprise admins.org),1717600520(group policy creator owners.org) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ rpm -q sssd
sssd-1.10.0-4.fc19.beta1.x86_64

Tested successfully and karma given.
Comment 9 Fedora Update System 2013-05-15 17:29:33 UTC 
sssd-1.10.0-3.fc19.beta1 has been pushed to the Fedora 19 obsolete repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.