This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 969883 - [RFE] Support of forests in the AD provider
[RFE] Support of forests in the AD provider
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-02 17:58 EDT by Dmitri Pal
Modified: 2014-06-18 00:02 EDT (History)
4 users (show)

See Also:
Fixed In Version: sssd-1.10.0-10.el7.beta2
Doc Type: Enhancement
Doc Text:
Feature: The SSSD is able to retrieve info about and authenticate as users from Active Directory's trusted domain in a single forest. Reason: This is expected functionality in a large AD environments, especially geographically distributed with multiple domains. Result (if any): By using a fully-qualified user or group name (Administrator@trusted.domain), the SSSD is able to serve users and groups from trusted domains in a similar fashion to the local domain.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 09:31:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-06-02 17:58:32 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/364

This ticket changed its shape.
The CIFS client and server side tickets have been forked out as separate tickets.
https://fedorahosted.org/sssd/ticket/1534
https://fedorahosted.org/sssd/ticket/1573

The scope of this ticket is reduced to AD provider must support trusted domains in the similar way how ipa provider does it.
Comment 1 Jakub Hrozek 2013-06-06 05:48:01 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1557
Comment 2 Jakub Hrozek 2013-06-06 05:58:51 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1558
Comment 3 Jakub Hrozek 2013-06-06 18:32:04 EDT
Fixed upstream.
Comment 4 Colin.Simpson 2013-07-12 21:49:15 EDT
Did this make it into F19 sssd-ad-1.10.0-16.fc19 ?

As this doesn't seem to work on F19, so I presume not there yet?

Or not sure this bz covers user look up in trusted AD domains (RFC2307 attributes throughout the forest).
Comment 5 Jakub Hrozek 2013-07-15 04:48:37 EDT
The feature is in 1.10. I must say we haven't really tested the trusted domains with RFC2307 attributes much, but mostly ID-mapped SIDs. Can you describe your scenario in more detail? Does SSSD simply not see the users?

Couple of caveats to think about:
 * only trusted domains from the same forest are recognized
 * you need to query the users using fully qualified name (user@trusted.domain or trusted\\user
 * in order to leverage POSIX attributes and not ID map, you need to set ldap_id_mapping=False in the sssd.conf in the domain section.

Feel free to start a thread on the sssd-users list as well.
Comment 6 Jakub Hrozek 2013-10-04 09:25:40 EDT
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 8 Kaushik Banerjee 2014-01-20 06:36:36 EST
Marking as verified in 1.11.2-27.el7


Report from beaker job run:

   [   PASS   ]      ad_forest_01  bz 1002592 1033096 969882 Lookup users and groups
   [   PASS   ]      ad_forest_02  bz 1002597 User and group memberships from different domains
   [   FAIL   ]      ad_forest_03  bz 1028039 Enumerate users and groups
   [   PASS   ]      ad_forest_04  bz 969882 Use flatname in the fully qualified format
   [   PASS   ]      ad_forest_05  bz 1053106 subdomain do not inherit fallbacks and overrides settings
   [   PASS   ]      ad_forest_auth_01  Auth users from all domains
   [   PASS   ]      ad_forest_auth_02  change password for all users from all domains
   [   PASS   ]      ad_forest_auth_03  bz 924404 support of enterprise principals
   [   PASS   ]      ad_access_filter  Add users and groups
   [   PASS   ]      ad_access_filter_01  access_provider defaults to ad
   [   PASS   ]      ad_access_filter_02  access_provider=ad without any other options denies expired users
   [   PASS   ]      ad_access_filter_03  An expired user, even though he matches the filter, is denied access
   [   PASS   ]      ad_access_filter_04  access_provider=ad without any other options allows non-expired users
   [   PASS   ]      ad_access_filter_05  ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com
   [   PASS   ]      ad_access_filter_06  ad_access_filter=(cn=user)
   [   PASS   ]      ad_access_filter_07  ad_access_filter=dom1 (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_08  ad_access_filter=DOM dom2 (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_09  bz 1032983 ad_access_filter=FOREST EXAMPLE.COM (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_10  bz 1033133 invalid ad_access_filter
   [   PASS   ]      ad_forest_simple_001  simple_allow_users=user1@domain1.com
   [   PASS   ]      ad_forest_simple_002  bz 991055 simple_allow_users=user1@domain1.com,user2@domain2.com,user3@child.domain1.com
   [   PASS   ]      ad_forest_simple_003  bz 1048102 simple_allow_users=DOMAIN1\user1,DOMAIN2\user2,CHILD1.DOMAIN1\user3
   [   PASS   ]      ad_forest_simple_004  simple_deny_users=user2@domain2.com,user3@child.domain1.com
   [   PASS   ]      ad_forest_simple_005  simple_allow_groups=group1@domain1.com,group2@domain2.com,group3@child.domain1.com
   [   PASS   ]      ad_forest_simple_006  simple_allow_groups=DOMAIN\group
   [   PASS   ]      ad_forest_simple_007  bz 982619 simple_deny_groups=group1@domain1.com
   [   PASS   ]      ad_forest_simple_008  Permit All Users
   [   PASS   ]      ad_forest_simple_09  Deny All Users
Comment 9 Ludek Smid 2014-06-13 09:31:32 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.