#2032 sssd sees gid as 0 for AD trust posix users causing lookup failures
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 988520

Description of problem:

On an IPA client in a env with AD Trust, I'm cannot lookup users with posix
attrs set.  I tried with getent and just ssh'ing to the IPA client.  Neither
case worked.

If I delete the trust from IPA server and recreate it with "--range-type
ipa-ad-trust" (no posix support), I am able to lookup and ssh with
Administrator@adtest.qe which does not have posix attrs set.

After some troubleshooting with dev, it was found that sssd db has the GID set
to 0 for the posix user:

[root@client alllog1]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb
name=posixuser1@adtest.qe
asq: Unable to register control with rootdse!
# record 1
dn: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb
createTimestamp: 1374775689
gidNumber: 0
homeDirectory: /home/adtest.qe/posixuser1
name: posixuser1@adtest.qe
objectClass: user
uidNumber: 10001
nameAlias: posixuser1@adtest.qe
userPrincipalName: posixuser1@ADTEST.QE
objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300
lastUpdate: 1374775689
dataExpireTimestamp: 1374811689
distinguishedName: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb

Above I can see gidNumber=0.  This is incorrect.  uidNumber though is correct,
that is what I set on AD side.

Version-Release number of selected component (if applicable):
sssd-1.11.0-0.1.beta2.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
* This was from following FreeIPA test day:
https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attribu
tes_in_AD_and_support_for_old_clients#Test_Results

0.  Have AD server setup with Identity Management for Unix enabled and user
with posix attrs set.
1.  Install IPA Master
2.  Install IPA Client

On Master:

3.  ipa-adtrust-install
4.  ipa dnszone-add adtest.qe --name-server=adserver.adtest.qe \
    --admin-email='hostmaster@adtest.qe' --force --forwarder=<ADserver_IP> \
    --forward-policy=only --ip-address=<ADserver_IP>
5.  systemctl restart named.service

On AD Server:

6.  Setup DNS Conditional Forwarder to IPA server/domain
Server Manager -> Tools -> DNS -> Conditional Forwarder
- right click new conditional forwarder
- enter ipa.spoore.test
- enter <IPAserver_IP>
- select option to store in AD
7.  Add Posix User/group:
Server Manager -> Tools -> AD Users and Computers
- right click users -> new group
- right click on the new group -> properties -> Unix Attr tab
-- Select NIS Domain and set GID
- right click users -> new user
- right click on new user -> properties -> Unix Attr tab
-- select NIS Domain and set UID (diff from GID above)

On IPA Master:
8.  echo Secret123 | \
    ipa trust-add --type=ad adtest.qe --admin Administrator --password

On IPA Client:
9.  restart sssd to be safe:
systemctl stop sssd
rm -rf /var/lib/sss/db/*
rm -rf /var/lib/sss/mc/*
systemctl start sssd

10.  getent passwd posixuser1@adtest.qe

11.  yum -y install ldb-tools

12.  ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user

Actual results:

10. fails to find user.
12. returns:

[root@client sssd]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb
objectclass=user
asq: Unable to register control with rootdse!
# record 1
dn: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb
createTimestamp: 1374775689
gidNumber: 0
homeDirectory: /home/adtest.qe/posixuser1
name: posixuser1@adtest.qe
objectClass: user
uidNumber: 10001
nameAlias: posixuser1@adtest.qe
userPrincipalName: posixuser1@ADTEST.QE
objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300
lastUpdate: 1374775689
dataExpireTimestamp: 1374811689
distinguishedName: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals


Expected results:
giNumber should not be 0...and lookup should return passwd info.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => jhrozek
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

patch: 0 => 1

milestone: NEEDS_TRIAGE => SSSD 1.11 beta 3
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.0

2 years ago

Login to comment on this ticket.

Metadata