#1888 freeipa 3.2 trusted ad user not listed in external group
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953944

Description of problem:

In an IPA/AD Trust setup, I cannot see the IPA external group for the AD user.

This is from this test (with slight differences to work from another test):

https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_hbac

[root@f19-1 ~]# ipa group-show --all ad_admins
  dn: cn=ad_admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org
  Group name: ad_admins
  Description: ad.example.org admins
  GID: 1819800007
  Member groups: ad_admins_external
  ipantsecurityidentifier: S-1-5-21-1339028217-3206615778-3561301142-1007
  ipauniqueid: 93ff8042-a886-11e2-a644-0000c0a87abf
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject,
posixgroup, ipantgroupattrs

[root@f19-1 ~]# ipa group-show --all ad_admins_external
  dn: cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org
  Group name: ad_admins_external
  Description: ad.example.org  admins external map
  Member of groups: ad_admins
  External member: S-1-5-21-3234163150-1739635155-2110790787-512
  ipauniqueid: 88f8b95c-a886-11e2-8283-0000c0a87abf
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject,
ipaexternalgroup

[root@f19-1 ~]# wbinfo -s S-1-5-21-3234163150-1739635155-2110790787-512
AD\domain admins 2
[root@f19-1 ~]# wbinfo --group-info "AD\domain admins 2"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group AD\domain admins 2

[root@f19-1 ~]# wbinfo --group-info "AD\domain admins"
AD\domain admins:4294967295:AD\administrator

-sh-4.2$ id
uid=1717600500(administrator@ad.example.org)
gid=1717600500(administrator@ad.example.org)
groups=1717600500(administrator@ad.example.org),1717600512(domain
admins@ad.example.org),1717600513(domain
users@ad.example.org),1717600518(schema
admins@ad.example.org),1717600519(enterprise
admins@ad.example.org),1717600520(group policy creator owners@ad.example.org)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


Version-Release number of selected component (if applicable):
sssd-1.10.0-2.fc19.alpha1.x86_64
freeipa-server-3.2.0-0.2.beta1.fc19.x86_64

How reproducible:
Always

Steps to Reproduce:
1.  Setup IPA Server
2.  Setup AD Server (2008r2 is what I saw this on)
3.  Setup Trust
4.  ipa group-add --external ext_ad_administrators --desc "AD.TEST
Administrators"
5.  ipa group-add-member ext_ad_administrators --external "AD\Domain Admins"
6.  ipa group-add ad_administrators
7.  ipa group-add-member ad_administrators --group ext_ad_administrators
8.  id administrator@ad.example.org

Actual results:
does not list ad_administrators

Expected results:
should list ad_administrators

Additional info:

Reassigning to Sumit, he already has a candidate fix.

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta

Fields changed

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata