#2066 ad: invalid handling of Domain Users group for subdomain user
Closed: Fixed None Opened 7 years ago by pbrezina.

I have the following configuration of active directory forest:

ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)

user: subaduser@sub.ad.pb,
memberof: Domain Users@sub.ad.pb, test@sub.ad.pb

When processing user information, tokenGroups contains Domain Users@ad.pb and test@sub.ad.pb. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)

LDB contains:

'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857075
fullName: subaduser
gecos: subaduser
gidNumber: 1462601111
name: subaduser@sub.ad.pb
objectClass: user
uidNumber: 1462601111
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111
origPrimaryGroupGidNumber: 1462600513
originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130827115406.0Z
entryUSN: 82658
userPrincipalName: subaduser@SUB.AD.PB
adUserAccountControl: 66048
nameAlias: subaduser@sub.ad.pb
initgrExpireTimestamp: 1377862476
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
'''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb


'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1462600513
name: Domain Users@sub.ad.pb
objectClass: group
'''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513'''
originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130626132134.0Z
entryUSN: 38668
nameAlias: domain users@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
createTimestamp: 1377857076
gidNumber: 1462601112
name: test@sub.ad.pb
objectClass: group
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112
originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130829103018.0Z
entryUSN: 83976
orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
nameAlias: test@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb


'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: S-1-5-21-3940105347-3434501867-2690409756-513
objectClass: group
lastUpdate: 1377857076
dataExpireTimestamp: 1377857075
isPosix: FALSE
objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: Domain Users
objectClass: group
'''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513'''
originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb
originalModifyTimestamp: 20130411080423.0Z
entryUSN: 12350
nameAlias: domain users
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb

The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong. However, it is also stored under cn=AD,PB and here is the SID resolved. Domain Users from sub.ad.pb is also present in the sysdb.


Fields changed

description: I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
}}}

user: subaduser@''sub.ad.pb'',
memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''

When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

{{{
$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
}}}

=> I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
}}}

user: subaduser@''sub.ad.pb'',
memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''

When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

{{{
$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
}}}

LDB contains:
{{{
'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857075
fullName: subaduser
gecos: subaduser
gidNumber: 1462601111
name: subaduser@sub.ad.pb
objectClass: user
uidNumber: 1462601111
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111
origPrimaryGroupGidNumber: 1462600513
originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130827115406.0Z
entryUSN: 82658
userPrincipalName: subaduser@SUB.AD.PB
adUserAccountControl: 66048
nameAlias: subaduser@sub.ad.pb
initgrExpireTimestamp: 1377862476
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
'''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1462600513
name: Domain Users@sub.ad.pb
objectClass: group
'''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513'''
originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130626132134.0Z
entryUSN: 38668
nameAlias: domain users@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
createTimestamp: 1377857076
gidNumber: 1462601112
name: test@sub.ad.pb
objectClass: group
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112
originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130829103018.0Z
entryUSN: 83976
orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
nameAlias: test@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: S-1-5-21-3940105347-3434501867-2690409756-513
objectClass: group
lastUpdate: 1377857076
dataExpireTimestamp: 1377857075
isPosix: FALSE
objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: Domain Users
objectClass: group
'''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513'''
originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb
originalModifyTimestamp: 20130411080423.0Z
entryUSN: 12350
nameAlias: domain users
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb
}}}

The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong.

Fields changed

description: I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
}}}

user: subaduser@''sub.ad.pb'',
memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''

When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

{{{
$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
}}}

LDB contains:
{{{
'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857075
fullName: subaduser
gecos: subaduser
gidNumber: 1462601111
name: subaduser@sub.ad.pb
objectClass: user
uidNumber: 1462601111
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111
origPrimaryGroupGidNumber: 1462600513
originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130827115406.0Z
entryUSN: 82658
userPrincipalName: subaduser@SUB.AD.PB
adUserAccountControl: 66048
nameAlias: subaduser@sub.ad.pb
initgrExpireTimestamp: 1377862476
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
'''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1462600513
name: Domain Users@sub.ad.pb
objectClass: group
'''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513'''
originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130626132134.0Z
entryUSN: 38668
nameAlias: domain users@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
createTimestamp: 1377857076
gidNumber: 1462601112
name: test@sub.ad.pb
objectClass: group
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112
originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130829103018.0Z
entryUSN: 83976
orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
nameAlias: test@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: S-1-5-21-3940105347-3434501867-2690409756-513
objectClass: group
lastUpdate: 1377857076
dataExpireTimestamp: 1377857075
isPosix: FALSE
objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: Domain Users
objectClass: group
'''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513'''
originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb
originalModifyTimestamp: 20130411080423.0Z
entryUSN: 12350
nameAlias: domain users
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb
}}}

The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong. => I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
}}}

user: subaduser@''sub.ad.pb'',
memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''

When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

{{{
$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
}}}

LDB contains:
{{{
'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857075
fullName: subaduser
gecos: subaduser
gidNumber: 1462601111
name: subaduser@sub.ad.pb
objectClass: user
uidNumber: 1462601111
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111
origPrimaryGroupGidNumber: 1462600513
originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130827115406.0Z
entryUSN: 82658
userPrincipalName: subaduser@SUB.AD.PB
adUserAccountControl: 66048
nameAlias: subaduser@sub.ad.pb
initgrExpireTimestamp: 1377862476
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
'''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1462600513
name: Domain Users@sub.ad.pb
objectClass: group
'''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513'''
originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130626132134.0Z
entryUSN: 38668
nameAlias: domain users@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
createTimestamp: 1377857076
gidNumber: 1462601112
name: test@sub.ad.pb
objectClass: group
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112
originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130829103018.0Z
entryUSN: 83976
orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
nameAlias: test@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: S-1-5-21-3940105347-3434501867-2690409756-513
objectClass: group
lastUpdate: 1377857076
dataExpireTimestamp: 1377857075
isPosix: FALSE
objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: Domain Users
objectClass: group
'''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513'''
originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb
originalModifyTimestamp: 20130411080423.0Z
entryUSN: 12350
nameAlias: domain users
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb
}}}

The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong. However, it is also stored under cn=AD,PB and here is the SID resolved. Domain Users from sub.ad.pb is also present in the sysdb.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.1
rhbz: => 0

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.11.1

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3108

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata