#2064 ad: unable to resolve membership when user is from different domain than group
Closed: Fixed None Opened 6 years ago by pbrezina.

I have the following configuration of active directory forest:

ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)

ChildUsers (universal group in ad.pb) contains
subaduser@sub.ad.pb (user from child domain)

SSSD is not able to resolve this membership. It probably tries to search subaduser in ad.pb LDAP instead of Global Catalog.

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-3940105347-3434501867-2690409756-1110)(objectclass=group)(name=*))][DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_group_single_step_done] (0x0020): Error processing direct membership [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_done] (0x0020): Nested group processing failed: [5][Input/output error]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.1

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

The patchset is massive and needs rebasing atop patches for #1970. I'd rather push the review to 1.11.2

milestone: SSSD 1.11.1 => SSSD 1.11.2

Replying to [comment:5 jhrozek]:

The patchset is massive and needs rebasing atop patches for #1970. I'd rather push the review to 1.11.2

Sorry, #2070

Fields changed

changelog: => The SSSD is now able to resolve all group members from different Active Directory domains as long as they come from a single forest.

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.11.2

2 years ago

Login to comment on this ticket.

Metadata