#1666 IPA Trust does not show secondary groups for AD Users for commands like id and getent
Closed: Fixed None Opened 6 years ago by pbrezina.

https://bugzilla.redhat.com/show_bug.cgi?id=878583 (Red Hat Enterprise Linux 6)

Description of problem:
With IPA Trust environment, AD User secondary group membership is not shown by
commands like id and getent.  Only the primary (mapped) private user group is


On the AD side, "testuser" is a member of "Domain Users" and "testgroup"
groups. However, this does not reflect when `id` is run against "testuser":

[root@ipaserver1 ~]# su - testuser@ad.example.com
-sh-4.1$ id
uid=238801108(testuser@ad.example.com) gid=238801108(testuser@ad.example.com)

The groups exist:

[root@ipaserver1 ~]# getent group AD\\testgroup
[root@ipaserver1 ~]# getent group AD\\'Domain Users'
domain users@ad.example.com:*:238800513:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Setup IPA Server
2.  Setup AD Server, add 2 groups, add user, add user to 2 new groups
3.  ipa-adtrust-install
4.  ipa trust-add <addomain> --admin Administrator --password
5.  id <aduser@addomain>

Actual results:
Does not show secondary AD Groups.

Expected results:
Shows all AD Groups?

Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
status: new => assigned
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.4

Fields changed

patch: 0 => 1

The ticket was fixed in the same patchset as ticket #1672. The patches were:

resolution: => fixed
selected: =>
status: assigned => closed

Metadata Update from @pbrezina:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.