#1666 IPA Trust does not show secondary groups for AD Users for commands like id and getent
Closed: Fixed None Opened 6 years ago by pbrezina.

https://bugzilla.redhat.com/show_bug.cgi?id=878583 (Red Hat Enterprise Linux 6)

Description of problem:
With IPA Trust environment, AD User secondary group membership is not shown by
commands like id and getent.  Only the primary (mapped) private user group is
shown.

Example:

On the AD side, "testuser" is a member of "Domain Users" and "testgroup"
groups. However, this does not reflect when `id` is run against "testuser":

---
[root@ipaserver1 ~]# su - testuser@ad.example.com
-sh-4.1$ id
uid=238801108(testuser@ad.example.com) gid=238801108(testuser@ad.example.com)
groups=238801108(testuser@ad.example.com),1600200004(ad_users)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
---

The groups exist:

---
[root@ipaserver1 ~]# getent group AD\\testgroup
testgroup@ad.example.com:*:238801109:
[root@ipaserver1 ~]# getent group AD\\'Domain Users'
domain users@ad.example.com:*:238800513:
---

Version-Release number of selected component (if applicable):
sssd-1.9.2-14.el6.x86_64

How reproducible:
always


Steps to Reproduce:
1.  Setup IPA Server
2.  Setup AD Server, add 2 groups, add user, add user to 2 new groups
3.  ipa-adtrust-install
4.  ipa trust-add <addomain> --admin Administrator --password
5.  id <aduser@addomain>

Actual results:
Does not show secondary AD Groups.

Expected results:
Shows all AD Groups?


Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
status: new => assigned
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.4

Fields changed

patch: 0 => 1

The ticket was fixed in the same patchset as ticket #1672. The patches were:

resolution: => fixed
selected: =>
status: assigned => closed

Metadata Update from @pbrezina:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.

Metadata