Description of problem: On an IPA client in a env with AD Trust, I'm cannot lookup users with posix attrs set. I tried with getent and just ssh'ing to the IPA client. Neither case worked. If I delete the trust from IPA server and recreate it with "--range-type ipa-ad-trust" (no posix support), I am able to lookup and ssh with Administrator which does not have posix attrs set. After some troubleshooting with dev, it was found that sssd db has the GID set to 0 for the posix user: [root@client alllog1]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb name=posixuser1 asq: Unable to register control with rootdse! # record 1 dn: name=posixuser1,cn=users,cn=adtest.qe,cn=sysdb createTimestamp: 1374775689 gidNumber: 0 homeDirectory: /home/adtest.qe/posixuser1 name: posixuser1 objectClass: user uidNumber: 10001 nameAlias: posixuser1 userPrincipalName: posixuser1 objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300 lastUpdate: 1374775689 dataExpireTimestamp: 1374811689 distinguishedName: name=posixuser1,cn=users,cn=adtest.qe,cn=sysdb Above I can see gidNumber=0. This is incorrect. uidNumber though is correct, that is what I set on AD side. Version-Release number of selected component (if applicable): sssd-1.11.0-0.1.beta2.fc19.x86_64 How reproducible: always Steps to Reproduce: * This was from following FreeIPA test day: https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients#Test_Results 0. Have AD server setup with Identity Management for Unix enabled and user with posix attrs set. 1. Install IPA Master 2. Install IPA Client On Master: 3. ipa-adtrust-install 4. ipa dnszone-add adtest.qe --name-server=adserver.adtest.qe \ --admin-email='hostmaster' --force --forwarder=<ADserver_IP> \ --forward-policy=only --ip-address=<ADserver_IP> 5. systemctl restart named.service On AD Server: 6. Setup DNS Conditional Forwarder to IPA server/domain Server Manager -> Tools -> DNS -> Conditional Forwarder - right click new conditional forwarder - enter ipa.spoore.test - enter <IPAserver_IP> - select option to store in AD 7. Add Posix User/group: Server Manager -> Tools -> AD Users and Computers - right click users -> new group - right click on the new group -> properties -> Unix Attr tab -- Select NIS Domain and set GID - right click users -> new user - right click on new user -> properties -> Unix Attr tab -- select NIS Domain and set UID (diff from GID above) On IPA Master: 8. echo Secret123 | \ ipa trust-add --type=ad adtest.qe --admin Administrator --password On IPA Client: 9. restart sssd to be safe: systemctl stop sssd rm -rf /var/lib/sss/db/* rm -rf /var/lib/sss/mc/* systemctl start sssd 10. getent passwd posixuser1 11. yum -y install ldb-tools 12. ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user Actual results: 10. fails to find user. 12. returns: [root@client sssd]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user asq: Unable to register control with rootdse! # record 1 dn: name=posixuser1,cn=users,cn=adtest.qe,cn=sysdb createTimestamp: 1374775689 gidNumber: 0 homeDirectory: /home/adtest.qe/posixuser1 name: posixuser1 objectClass: user uidNumber: 10001 nameAlias: posixuser1 userPrincipalName: posixuser1 objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300 lastUpdate: 1374775689 dataExpireTimestamp: 1374811689 distinguishedName: name=posixuser1,cn=users,cn=adtest.qe,cn=sysdb # returned 1 records # 1 entries # 0 referrals Expected results: giNumber should not be 0...and lookup should return passwd info. Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/2032
Fixed upstream.
sssd-1.11.0-0.1.beta2.fc19, freeipa-3.3.0-1.fc19, slapi-nis-0.47.7-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sssd-1.11.0-0.1.beta2.fc19,freeipa-3.3.0-1.fc19,slapi-nis-0.47.7-1.fc19
Package sssd-1.11.0-0.1.beta2.fc19, freeipa-3.3.0-1.fc19, slapi-nis-0.47.7-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-0.1.beta2.fc19 freeipa-3.3.0-1.fc19 slapi-nis-0.47.7-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14470/sssd-1.11.0-0.1.beta2.fc19,freeipa-3.3.0-1.fc19,slapi-nis-0.47.7-1.fc19 then log in and leave karma (feedback).
Package freeipa-3.3.0-2.fc19, sssd-1.11.0-0.1.beta2.fc19, slapi-nis-0.47.7-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.3.0-2.fc19 sssd-1.11.0-0.1.beta2.fc19 slapi-nis-0.47.7-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14470/sssd-1.11.0-0.1.beta2.fc19,freeipa-3.3.0-2.fc19,slapi-nis-0.47.7-1.fc19 then log in and leave karma (feedback).
Looks like this one is good. Will post karma [root@f19-1 ~]# ldbsearch -H /var/lib/sss/db/cache_ipa1.example.test.ldb objectclass=user asq: Unable to register control with rootdse! # record 1 dn: name=adposixuser1.test,cn=users,cn=ad1.example.test,cn=sysdb createTimestamp: 1376694478 fullName: adposixuser1 gecos: adposixuser1 gidNumber: 10000 homeDirectory: /home/adposixuser1 loginShell: /bin/sh name: adposixuser1.test objectClass: user uidNumber: 10001 objectSIDString: S-1-5-21-3024585523-2150831570-1141209184-1118 originalDN: CN=adposixuser1,CN=Users,DC=ad1,DC=example,DC=test originalMemberOf: CN=adposixgroup1,CN=Users,DC=ad1,DC=example,DC=test originalModifyTimestamp: 20130816220607.0Z entryUSN: 65771 userPrincipalName: adposixuser1.TEST adAccountExpires: 9223372036854775807 adUserAccountControl: 66048 nameAlias: adposixuser1.test lastUpdate: 1376694478 dataExpireTimestamp: 1376699878 distinguishedName: name=adposixuser1.test,cn=users,cn=ad1.example. test,cn=sysdb # record 2 dn: name=admin,cn=users,cn=ipa1.example.test,cn=sysdb createTimestamp: 1376694323 fullName: Administrator gecos: Administrator gidNumber: 375200000 name: admin objectClass: user uidNumber: 375200000 userPrincipalName: admin.TEST nameAlias: admin objectSIDString: S-1-5-21-2791864261-2397021873-3522414585-500 originalDN: uid=admin,cn=users,cn=accounts,dc=ipa1,dc=example,dc=test lastUpdate: 1376694323 dataExpireTimestamp: 1376699723 memberof: name=admins,cn=groups,cn=ipa1.example.test,cn=sysdb originalMemberOf: cn=admins,cn=groups,cn=accounts,dc=ipa1,dc=example,dc=test distinguishedName: name=admin,cn=users,cn=ipa1.example.test,cn=sysdb # returned 2 records # 2 entries # 0 referrals
freeipa-3.3.0-2.fc19, sssd-1.11.0-0.1.beta2.fc19, slapi-nis-0.47.7-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.