#2032 sssd sees gid as 0 for AD trust posix users causing lookup failures
Closed: Fixed None Opened 7 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 988520

Description of problem:

On an IPA client in a env with AD Trust, I'm cannot lookup users with posix
attrs set.  I tried with getent and just ssh'ing to the IPA client.  Neither
case worked.

If I delete the trust from IPA server and recreate it with "--range-type
ipa-ad-trust" (no posix support), I am able to lookup and ssh with
Administrator@adtest.qe which does not have posix attrs set.

After some troubleshooting with dev, it was found that sssd db has the GID set
to 0 for the posix user:

[root@client alllog1]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb
name=posixuser1@adtest.qe
asq: Unable to register control with rootdse!
# record 1
dn: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb
createTimestamp: 1374775689
gidNumber: 0
homeDirectory: /home/adtest.qe/posixuser1
name: posixuser1@adtest.qe
objectClass: user
uidNumber: 10001
nameAlias: posixuser1@adtest.qe
userPrincipalName: posixuser1@ADTEST.QE
objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300
lastUpdate: 1374775689
dataExpireTimestamp: 1374811689
distinguishedName: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb

Above I can see gidNumber=0.  This is incorrect.  uidNumber though is correct,
that is what I set on AD side.

Version-Release number of selected component (if applicable):
sssd-1.11.0-0.1.beta2.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
* This was from following FreeIPA test day:
https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attribu
tes_in_AD_and_support_for_old_clients#Test_Results

0.  Have AD server setup with Identity Management for Unix enabled and user
with posix attrs set.
1.  Install IPA Master
2.  Install IPA Client

On Master:

3.  ipa-adtrust-install
4.  ipa dnszone-add adtest.qe --name-server=adserver.adtest.qe \
    --admin-email='hostmaster@adtest.qe' --force --forwarder=<ADserver_IP> \
    --forward-policy=only --ip-address=<ADserver_IP>
5.  systemctl restart named.service

On AD Server:

6.  Setup DNS Conditional Forwarder to IPA server/domain
Server Manager -> Tools -> DNS -> Conditional Forwarder
- right click new conditional forwarder
- enter ipa.spoore.test
- enter <IPAserver_IP>
- select option to store in AD
7.  Add Posix User/group:
Server Manager -> Tools -> AD Users and Computers
- right click users -> new group
- right click on the new group -> properties -> Unix Attr tab
-- Select NIS Domain and set GID
- right click users -> new user
- right click on new user -> properties -> Unix Attr tab
-- select NIS Domain and set UID (diff from GID above)

On IPA Master:
8.  echo Secret123 | \
    ipa trust-add --type=ad adtest.qe --admin Administrator --password

On IPA Client:
9.  restart sssd to be safe:
systemctl stop sssd
rm -rf /var/lib/sss/db/*
rm -rf /var/lib/sss/mc/*
systemctl start sssd

10.  getent passwd posixuser1@adtest.qe

11.  yum -y install ldb-tools

12.  ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user

Actual results:

10. fails to find user.
12. returns:

[root@client sssd]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb
objectclass=user
asq: Unable to register control with rootdse!
# record 1
dn: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb
createTimestamp: 1374775689
gidNumber: 0
homeDirectory: /home/adtest.qe/posixuser1
name: posixuser1@adtest.qe
objectClass: user
uidNumber: 10001
nameAlias: posixuser1@adtest.qe
userPrincipalName: posixuser1@ADTEST.QE
objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300
lastUpdate: 1374775689
dataExpireTimestamp: 1374811689
distinguishedName: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals


Expected results:
giNumber should not be 0...and lookup should return passwd info.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => jhrozek
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

patch: 0 => 1

milestone: NEEDS_TRIAGE => SSSD 1.11 beta 3
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.0

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3074

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata