Red Hat Bugzilla – Bug 969883
[RFE] Support of forests in the AD provider
Last modified: 2014-06-18 00:02:29 EDT
This bug is created as a clone of upstream ticket:
This ticket changed its shape.
The CIFS client and server side tickets have been forked out as separate tickets.
The scope of this ticket is reduced to AD provider must support trusted domains in the similar way how ipa provider does it.
Did this make it into F19 sssd-ad-1.10.0-16.fc19 ?
As this doesn't seem to work on F19, so I presume not there yet?
Or not sure this bz covers user look up in trusted AD domains (RFC2307 attributes throughout the forest).
The feature is in 1.10. I must say we haven't really tested the trusted domains with RFC2307 attributes much, but mostly ID-mapped SIDs. Can you describe your scenario in more detail? Does SSSD simply not see the users?
Couple of caveats to think about:
* only trusted domains from the same forest are recognized
* you need to query the users using fully qualified name (email@example.com or trusted\\user
* in order to leverage POSIX attributes and not ID map, you need to set ldap_id_mapping=False in the sssd.conf in the domain section.
Feel free to start a thread on the sssd-users list as well.
Temporarily moving bugs to MODIFIED to work around errata tool bug
Marking as verified in 1.11.2-27.el7
Report from beaker job run:
[ PASS ] ad_forest_01 bz 1002592 1033096 969882 Lookup users and groups
[ PASS ] ad_forest_02 bz 1002597 User and group memberships from different domains
[ FAIL ] ad_forest_03 bz 1028039 Enumerate users and groups
[ PASS ] ad_forest_04 bz 969882 Use flatname in the fully qualified format
[ PASS ] ad_forest_05 bz 1053106 subdomain do not inherit fallbacks and overrides settings
[ PASS ] ad_forest_auth_01 Auth users from all domains
[ PASS ] ad_forest_auth_02 change password for all users from all domains
[ PASS ] ad_forest_auth_03 bz 924404 support of enterprise principals
[ PASS ] ad_access_filter Add users and groups
[ PASS ] ad_access_filter_01 access_provider defaults to ad
[ PASS ] ad_access_filter_02 access_provider=ad without any other options denies expired users
[ PASS ] ad_access_filter_03 An expired user, even though he matches the filter, is denied access
[ PASS ] ad_access_filter_04 access_provider=ad without any other options allows non-expired users
[ PASS ] ad_access_filter_05 ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com
[ PASS ] ad_access_filter_06 ad_access_filter=(cn=user)
[ PASS ] ad_access_filter_07 ad_access_filter=dom1 (memberOf=cn=admins,ou=groups,dc=example,dc=com)
[ PASS ] ad_access_filter_08 ad_access_filter=DOM dom2 (memberOf=cn=admins,ou=groups,dc=example,dc=com)
[ PASS ] ad_access_filter_09 bz 1032983 ad_access_filter=FOREST EXAMPLE.COM (memberOf=cn=admins,ou=groups,dc=example,dc=com)
[ PASS ] ad_access_filter_10 bz 1033133 invalid ad_access_filter
[ PASS ] ad_forest_simple_001 firstname.lastname@example.org
[ PASS ] ad_forest_simple_002 bz 991055 email@example.com,firstname.lastname@example.org,email@example.com
[ PASS ] ad_forest_simple_003 bz 1048102 simple_allow_users=DOMAIN1\user1,DOMAIN2\user2,CHILD1.DOMAIN1\user3
[ PASS ] ad_forest_simple_004 firstname.lastname@example.org,email@example.com
[ PASS ] ad_forest_simple_005 firstname.lastname@example.org,email@example.com,firstname.lastname@example.org
[ PASS ] ad_forest_simple_006 simple_allow_groups=DOMAIN\group
[ PASS ] ad_forest_simple_007 bz 982619 email@example.com
[ PASS ] ad_forest_simple_008 Permit All Users
[ PASS ] ad_forest_simple_09 Deny All Users
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.