#2064 ad: unable to resolve membership when user is from different domain than group
Closed: Fixed None Opened 7 years ago by pbrezina.

I have the following configuration of active directory forest:

ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)

ChildUsers (universal group in ad.pb) contains
subaduser@sub.ad.pb (user from child domain)

SSSD is not able to resolve this membership. It probably tries to search subaduser in ad.pb LDAP instead of Global Catalog.

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-3940105347-3434501867-2690409756-1110)(objectclass=group)(name=*))][DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_group_single_step_done] (0x0020): Error processing direct membership [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_done] (0x0020): Nested group processing failed: [5][Input/output error]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.1

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

The patchset is massive and needs rebasing atop patches for #1970. I'd rather push the review to 1.11.2

milestone: SSSD 1.11.1 => SSSD 1.11.2

Replying to [comment:5 jhrozek]:

The patchset is massive and needs rebasing atop patches for #1970. I'd rather push the review to 1.11.2

Sorry, #2070

Fields changed

changelog: => The SSSD is now able to resolve all group members from different Active Directory domains as long as they come from a single forest.

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.11.2

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3106

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata