#1888 freeipa 3.2 trusted ad user not listed in external group
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953944

Description of problem:

In an IPA/AD Trust setup, I cannot see the IPA external group for the AD user.

This is from this test (with slight differences to work from another test):


[root@f19-1 ~]# ipa group-show --all ad_admins
  dn: cn=ad_admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org
  Group name: ad_admins
  Description: ad.example.org admins
  GID: 1819800007
  Member groups: ad_admins_external
  ipantsecurityidentifier: S-1-5-21-1339028217-3206615778-3561301142-1007
  ipauniqueid: 93ff8042-a886-11e2-a644-0000c0a87abf
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject,
posixgroup, ipantgroupattrs

[root@f19-1 ~]# ipa group-show --all ad_admins_external
  dn: cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org
  Group name: ad_admins_external
  Description: ad.example.org  admins external map
  Member of groups: ad_admins
  External member: S-1-5-21-3234163150-1739635155-2110790787-512
  ipauniqueid: 88f8b95c-a886-11e2-8283-0000c0a87abf
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject,

[root@f19-1 ~]# wbinfo -s S-1-5-21-3234163150-1739635155-2110790787-512
AD\domain admins 2
[root@f19-1 ~]# wbinfo --group-info "AD\domain admins 2"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group AD\domain admins 2

[root@f19-1 ~]# wbinfo --group-info "AD\domain admins"
AD\domain admins:4294967295:AD\administrator

-sh-4.2$ id
admins@ad.example.org),1717600520(group policy creator owners@ad.example.org)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Setup IPA Server
2.  Setup AD Server (2008r2 is what I saw this on)
3.  Setup Trust
4.  ipa group-add --external ext_ad_administrators --desc "AD.TEST
5.  ipa group-add-member ext_ad_administrators --external "AD\Domain Admins"
6.  ipa group-add ad_administrators
7.  ipa group-add-member ad_administrators --group ext_ad_administrators
8.  id administrator@ad.example.org

Actual results:
does not list ad_administrators

Expected results:
should list ad_administrators

Additional info:

Reassigning to Sumit, he already has a candidate fix.

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta

Fields changed

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.