Description of problem: In an IPA/AD Trust setup, I cannot see the IPA external group for the AD user. This is from this test (with slight differences to work from another test): https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_hbac [root@f19-1 ~]# ipa group-show --all ad_admins dn: cn=ad_admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org Group name: ad_admins Description: ad.example.org admins GID: 1819800007 Member groups: ad_admins_external ipantsecurityidentifier: S-1-5-21-1339028217-3206615778-3561301142-1007 ipauniqueid: 93ff8042-a886-11e2-a644-0000c0a87abf objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup, ipantgroupattrs [root@f19-1 ~]# ipa group-show --all ad_admins_external dn: cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org Group name: ad_admins_external Description: ad.example.org admins external map Member of groups: ad_admins External member: S-1-5-21-3234163150-1739635155-2110790787-512 ipauniqueid: 88f8b95c-a886-11e2-8283-0000c0a87abf objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup [root@f19-1 ~]# wbinfo -s S-1-5-21-3234163150-1739635155-2110790787-512 AD\domain admins 2 [root@f19-1 ~]# wbinfo --group-info "AD\domain admins 2" failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group AD\domain admins 2 [root@f19-1 ~]# wbinfo --group-info "AD\domain admins" AD\domain admins:4294967295:AD\administrator -sh-4.2$ id uid=1717600500(administrator.org) gid=1717600500(administrator.org) groups=1717600500(administrator.org),1717600512(domain admins.org),1717600513(domain users.org),1717600518(schema admins.org),1717600519(enterprise admins.org),1717600520(group policy creator owners.org) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Version-Release number of selected component (if applicable): sssd-1.10.0-2.fc19.alpha1.x86_64 freeipa-server-3.2.0-0.2.beta1.fc19.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup IPA Server 2. Setup AD Server (2008r2 is what I saw this on) 3. Setup Trust 4. ipa group-add --external ext_ad_administrators --desc "AD.TEST Administrators" 5. ipa group-add-member ext_ad_administrators --external "AD\Domain Admins" 6. ipa group-add ad_administrators 7. ipa group-add-member ad_administrators --group ext_ad_administrators 8. id administrator.org Actual results: does not list ad_administrators Expected results: should list ad_administrators Additional info:
Scott, to eliminate one possible cause, could you please try building freeipa 3.2.0 on Fedora 18 with Kerberos 1.10 and reproduce the issue there?
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3579
Upstream ticket: https://fedorahosted.org/sssd/ticket/1888
rpm with test fix appears to work: [root@f19-1 sssdtest]# systemctl stop sssd.service [root@f19-1 sssdtest]# rm -rf /var/lib/sss/{mc,db}/* [root@f19-1 sssdtest]# systemctl start sssd.service [root@f19-1 sssdtest]# id Administrator.org uid=1717600500(administrator.org) gid=1717600500(administrator.org) groups=1717600500(administrator.org) [root@f19-1 sssdtest]# ipa group-add --external ext_ad_administrators --desc "AD.TEST Administrators" ----------------------------------- Added group "ext_ad_administrators" ----------------------------------- Group name: ext_ad_administrators Description: AD.TEST Administrators [root@f19-1 sssdtest]# ipa group-add-member ext_ad_administrators --external "AD\Domain Admins" [member user]: [member group]: Group name: ext_ad_administrators Description: AD.TEST Administrators External member: S-1-5-21-3234163150-1739635155-2110790787-512 ------------------------- Number of members added 1 ------------------------- [root@f19-1 sssdtest]# ipa group-add ad_administrators Description: AD.TEST Administrators ------------------------------- Added group "ad_administrators" ------------------------------- Group name: ad_administrators Description: AD.TEST Administrators GID: 1819800011 [root@f19-1 sssdtest]# ipa group-add-member ad_administrators --group ext_ad_administrators Group name: ad_administrators Description: AD.TEST Administrators GID: 1819800011 Member groups: ext_ad_administrators ------------------------- Number of members added 1 ------------------------- [root@f19-1 sssdtest]# ssh -l Administrator.org f19-1.ipa.example.org Administrator.org.example.org's password: Last login: Fri Apr 19 13:09:18 2013 from f19-1.ipa.example.org -sh-4.2$ id uid=1717600500(administrator.org) gid=1717600500(administrator.org) groups=1717600500(administrator.org),1717600512(domain admins.org),1717600513(domain users.org),1717600518(schema admins.org),1717600519(enterprise admins.org),1717600520(group policy creator owners.org),1819800011(ad_administrators) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$
sssd-1.10.0-3.fc19.beta1 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.10.0-3.fc19.beta1
Package sssd-1.10.0-3.fc19.beta1: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.10.0-3.fc19.beta1' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7450/sssd-1.10.0-3.fc19.beta1 then log in and leave karma (feedback).
sssd-1.10.0-4.fc19.beta1 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.10.0-4.fc19.beta1
[root@f19-1 log]# ssh -l Administrator.org f19-1.ipa.example.org Administrator.org.example.org's password: Could not chdir to home directory /home/ad.example.org/administrator: No such file or directory -sh-4.2$ id uid=1717600500(administrator.org) gid=1717600500(administrator.org) groups=1717600500(administrator.org),1473200004(ad_administrators),1717600512(domain admins.org),1717600513(domain users.org),1717600518(schema admins.org),1717600519(enterprise admins.org),1717600520(group policy creator owners.org) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ rpm -q sssd sssd-1.10.0-4.fc19.beta1.x86_64 Tested successfully and karma given.
sssd-1.10.0-3.fc19.beta1 has been pushed to the Fedora 19 obsolete repository. If problems still persist, please make note of it in this bug report.