969883 – [RFE] Support of forests in the AD provider

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 969883 - [RFE] Support of forests in the AD provider

Summary: [RFE] Support of forests in the AD provider

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-02 21:58 UTC by Dmitri Pal
Modified:	2020-05-02 17:00 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-1.10.0-10.el7.beta2
Doc Type:	Enhancement
Doc Text:	Feature: The SSSD is able to retrieve info about and authenticate as users from Active Directory's trusted domain in a single forest. Reason: This is expected functionality in a large AD environments, especially geographically distributed with multiple domains. Result (if any): By using a fully-qualified user or group name (Administrator@trusted.domain), the SSSD is able to serve users and groups from trusted domains in a similar fashion to the local domain.
Clone Of:
Environment:
Last Closed:	2014-06-13 13:31:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 1406	None	closed	[RFE] Recognize trusted domains in AD provider	2020-10-28 15:54:14 UTC
Github	SSSD sssd issues 2599	None	closed	[RFE] Use the Global Catalog in SSSD for the AD provider	2020-10-28 15:54:14 UTC
Github	SSSD sssd issues 2600	None	closed	[RFE] Use MS-PAC to retrieve user's group list	2020-10-28 15:54:15 UTC

Description Dmitri Pal 2013-06-02 21:58:32 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/364

This ticket changed its shape.
The CIFS client and server side tickets have been forked out as separate tickets.
https://fedorahosted.org/sssd/ticket/1534
https://fedorahosted.org/sssd/ticket/1573

The scope of this ticket is reduced to AD provider must support trusted domains in the similar way how ipa provider does it.

Comment 1 Jakub Hrozek 2013-06-06 09:48:01 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1557

Comment 2 Jakub Hrozek 2013-06-06 09:58:51 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1558

Comment 3 Jakub Hrozek 2013-06-06 22:32:04 UTC

Fixed upstream.

Comment 4 Colin.Simpson 2013-07-13 01:49:15 UTC

Did this make it into F19 sssd-ad-1.10.0-16.fc19 ?

As this doesn't seem to work on F19, so I presume not there yet?

Or not sure this bz covers user look up in trusted AD domains (RFC2307 attributes throughout the forest).

Comment 5 Jakub Hrozek 2013-07-15 08:48:37 UTC

The feature is in 1.10. I must say we haven't really tested the trusted domains with RFC2307 attributes much, but mostly ID-mapped SIDs. Can you describe your scenario in more detail? Does SSSD simply not see the users?

Couple of caveats to think about:
 * only trusted domains from the same forest are recognized
 * you need to query the users using fully qualified name (user or trusted\\user
 * in order to leverage POSIX attributes and not ID map, you need to set ldap_id_mapping=False in the sssd.conf in the domain section.

Feel free to start a thread on the sssd-users list as well.

Comment 6 Jakub Hrozek 2013-10-04 13:25:40 UTC

Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 8 Kaushik Banerjee 2014-01-20 11:36:36 UTC

Marking as verified in 1.11.2-27.el7


Report from beaker job run:

   [   PASS   ]      ad_forest_01  bz 1002592 1033096 969882 Lookup users and groups
   [   PASS   ]      ad_forest_02  bz 1002597 User and group memberships from different domains
   [   FAIL   ]      ad_forest_03  bz 1028039 Enumerate users and groups
   [   PASS   ]      ad_forest_04  bz 969882 Use flatname in the fully qualified format
   [   PASS   ]      ad_forest_05  bz 1053106 subdomain do not inherit fallbacks and overrides settings
   [   PASS   ]      ad_forest_auth_01  Auth users from all domains
   [   PASS   ]      ad_forest_auth_02  change password for all users from all domains
   [   PASS   ]      ad_forest_auth_03  bz 924404 support of enterprise principals
   [   PASS   ]      ad_access_filter  Add users and groups
   [   PASS   ]      ad_access_filter_01  access_provider defaults to ad
   [   PASS   ]      ad_access_filter_02  access_provider=ad without any other options denies expired users
   [   PASS   ]      ad_access_filter_03  An expired user, even though he matches the filter, is denied access
   [   PASS   ]      ad_access_filter_04  access_provider=ad without any other options allows non-expired users
   [   PASS   ]      ad_access_filter_05  ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com
   [   PASS   ]      ad_access_filter_06  ad_access_filter=(cn=user)
   [   PASS   ]      ad_access_filter_07  ad_access_filter=dom1 (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_08  ad_access_filter=DOM dom2 (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_09  bz 1032983 ad_access_filter=FOREST EXAMPLE.COM (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_10  bz 1033133 invalid ad_access_filter
   [   PASS   ]      ad_forest_simple_001  simple_allow_users=user1
   [   PASS   ]      ad_forest_simple_002  bz 991055 simple_allow_users=user1,user2,user3.com
   [   PASS   ]      ad_forest_simple_003  bz 1048102 simple_allow_users=DOMAIN1\user1,DOMAIN2\user2,CHILD1.DOMAIN1\user3
   [   PASS   ]      ad_forest_simple_004  simple_deny_users=user2,user3.com
   [   PASS   ]      ad_forest_simple_005  simple_allow_groups=group1,group2,group3.com
   [   PASS   ]      ad_forest_simple_006  simple_allow_groups=DOMAIN\group
   [   PASS   ]      ad_forest_simple_007  bz 982619 simple_deny_groups=group1
   [   PASS   ]      ad_forest_simple_008  Permit All Users
   [   PASS   ]      ad_forest_simple_09  Deny All Users

Comment 9 Ludek Smid 2014-06-13 13:31:32 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.