#1888 freeipa 3.2 trusted ad user not listed in external group
Closed: Fixed None Opened 7 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953944

Description of problem:

In an IPA/AD Trust setup, I cannot see the IPA external group for the AD user.

This is from this test (with slight differences to work from another test):

https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_hbac

[root@f19-1 ~]# ipa group-show --all ad_admins
  dn: cn=ad_admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org
  Group name: ad_admins
  Description: ad.example.org admins
  GID: 1819800007
  Member groups: ad_admins_external
  ipantsecurityidentifier: S-1-5-21-1339028217-3206615778-3561301142-1007
  ipauniqueid: 93ff8042-a886-11e2-a644-0000c0a87abf
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject,
posixgroup, ipantgroupattrs

[root@f19-1 ~]# ipa group-show --all ad_admins_external
  dn: cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org
  Group name: ad_admins_external
  Description: ad.example.org  admins external map
  Member of groups: ad_admins
  External member: S-1-5-21-3234163150-1739635155-2110790787-512
  ipauniqueid: 88f8b95c-a886-11e2-8283-0000c0a87abf
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject,
ipaexternalgroup

[root@f19-1 ~]# wbinfo -s S-1-5-21-3234163150-1739635155-2110790787-512
AD\domain admins 2
[root@f19-1 ~]# wbinfo --group-info "AD\domain admins 2"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group AD\domain admins 2

[root@f19-1 ~]# wbinfo --group-info "AD\domain admins"
AD\domain admins:4294967295:AD\administrator

-sh-4.2$ id
uid=1717600500(administrator@ad.example.org)
gid=1717600500(administrator@ad.example.org)
groups=1717600500(administrator@ad.example.org),1717600512(domain
admins@ad.example.org),1717600513(domain
users@ad.example.org),1717600518(schema
admins@ad.example.org),1717600519(enterprise
admins@ad.example.org),1717600520(group policy creator owners@ad.example.org)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


Version-Release number of selected component (if applicable):
sssd-1.10.0-2.fc19.alpha1.x86_64
freeipa-server-3.2.0-0.2.beta1.fc19.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Setup IPA Server
2.  Setup AD Server (2008r2 is what I saw this on)
3.  Setup Trust
4.  ipa group-add --external ext_ad_administrators --desc "AD.TEST
Administrators"
5.  ipa group-add-member ext_ad_administrators --external "AD\Domain Admins"
6.  ipa group-add ad_administrators
7.  ipa group-add-member ad_administrators --group ext_ad_administrators
8.  id administrator@ad.example.org

Actual results:
does not list ad_administrators

Expected results:
should list ad_administrators

Additional info:

Reassigning to Sumit, he already has a candidate fix.

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta

Fields changed

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.10 beta

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2930

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata