#2066 ad: invalid handling of Domain Users group for subdomain user
Closed: Fixed None Opened 5 years ago by pbrezina.

I have the following configuration of active directory forest:

ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)

user: subaduser@sub.ad.pb,
memberof: Domain Users@sub.ad.pb, test@sub.ad.pb

When processing user information, tokenGroups contains Domain Users@ad.pb and test@sub.ad.pb. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)

LDB contains:

'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857075
fullName: subaduser
gecos: subaduser
gidNumber: 1462601111
name: subaduser@sub.ad.pb
objectClass: user
uidNumber: 1462601111
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111
origPrimaryGroupGidNumber: 1462600513
originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130827115406.0Z
entryUSN: 82658
userPrincipalName: subaduser@SUB.AD.PB
adUserAccountControl: 66048
nameAlias: subaduser@sub.ad.pb
initgrExpireTimestamp: 1377862476
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
'''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb


'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1462600513
name: Domain Users@sub.ad.pb
objectClass: group
'''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513'''
originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130626132134.0Z
entryUSN: 38668
nameAlias: domain users@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
createTimestamp: 1377857076
gidNumber: 1462601112
name: test@sub.ad.pb
objectClass: group
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112
originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130829103018.0Z
entryUSN: 83976
orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
nameAlias: test@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb


'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: S-1-5-21-3940105347-3434501867-2690409756-513
objectClass: group
lastUpdate: 1377857076
dataExpireTimestamp: 1377857075
isPosix: FALSE
objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: Domain Users
objectClass: group
'''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513'''
originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb
originalModifyTimestamp: 20130411080423.0Z
entryUSN: 12350
nameAlias: domain users
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb

The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong. However, it is also stored under cn=AD,PB and here is the SID resolved. Domain Users from sub.ad.pb is also present in the sysdb.


Fields changed

description: I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
}}}

user: subaduser@''sub.ad.pb'',
memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''

When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

{{{
$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
}}}

=> I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
}}}

user: subaduser@''sub.ad.pb'',
memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''

When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

{{{
$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
}}}

LDB contains:
{{{
'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857075
fullName: subaduser
gecos: subaduser
gidNumber: 1462601111
name: subaduser@sub.ad.pb
objectClass: user
uidNumber: 1462601111
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111
origPrimaryGroupGidNumber: 1462600513
originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130827115406.0Z
entryUSN: 82658
userPrincipalName: subaduser@SUB.AD.PB
adUserAccountControl: 66048
nameAlias: subaduser@sub.ad.pb
initgrExpireTimestamp: 1377862476
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
'''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1462600513
name: Domain Users@sub.ad.pb
objectClass: group
'''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513'''
originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130626132134.0Z
entryUSN: 38668
nameAlias: domain users@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
createTimestamp: 1377857076
gidNumber: 1462601112
name: test@sub.ad.pb
objectClass: group
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112
originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130829103018.0Z
entryUSN: 83976
orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
nameAlias: test@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: S-1-5-21-3940105347-3434501867-2690409756-513
objectClass: group
lastUpdate: 1377857076
dataExpireTimestamp: 1377857075
isPosix: FALSE
objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: Domain Users
objectClass: group
'''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513'''
originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb
originalModifyTimestamp: 20130411080423.0Z
entryUSN: 12350
nameAlias: domain users
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb
}}}

The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong.

Fields changed

description: I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
}}}

user: subaduser@''sub.ad.pb'',
memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''

When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

{{{
$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
}}}

LDB contains:
{{{
'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857075
fullName: subaduser
gecos: subaduser
gidNumber: 1462601111
name: subaduser@sub.ad.pb
objectClass: user
uidNumber: 1462601111
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111
origPrimaryGroupGidNumber: 1462600513
originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130827115406.0Z
entryUSN: 82658
userPrincipalName: subaduser@SUB.AD.PB
adUserAccountControl: 66048
nameAlias: subaduser@sub.ad.pb
initgrExpireTimestamp: 1377862476
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
'''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1462600513
name: Domain Users@sub.ad.pb
objectClass: group
'''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513'''
originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130626132134.0Z
entryUSN: 38668
nameAlias: domain users@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
createTimestamp: 1377857076
gidNumber: 1462601112
name: test@sub.ad.pb
objectClass: group
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112
originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130829103018.0Z
entryUSN: 83976
orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
nameAlias: test@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: S-1-5-21-3940105347-3434501867-2690409756-513
objectClass: group
lastUpdate: 1377857076
dataExpireTimestamp: 1377857075
isPosix: FALSE
objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: Domain Users
objectClass: group
'''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513'''
originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb
originalModifyTimestamp: 20130411080423.0Z
entryUSN: 12350
nameAlias: domain users
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb
}}}

The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong. => I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
}}}

user: subaduser@''sub.ad.pb'',
memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''

When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).

Interestingly, id command returns Domain Users from both domains.

{{{
$ id 'SUBADPB\subaduser'
uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
}}}

LDB contains:
{{{
'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857075
fullName: subaduser
gecos: subaduser
gidNumber: 1462601111
name: subaduser@sub.ad.pb
objectClass: user
uidNumber: 1462601111
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111
origPrimaryGroupGidNumber: 1462600513
originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130827115406.0Z
entryUSN: 82658
userPrincipalName: subaduser@SUB.AD.PB
adUserAccountControl: 66048
nameAlias: subaduser@sub.ad.pb
initgrExpireTimestamp: 1377862476
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
'''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1462600513
name: Domain Users@sub.ad.pb
objectClass: group
'''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513'''
originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130626132134.0Z
entryUSN: 38668
nameAlias: domain users@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb'''
dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
createTimestamp: 1377857076
gidNumber: 1462601112
name: test@sub.ad.pb
objectClass: group
objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112
originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb
originalModifyTimestamp: 20130829103018.0Z
entryUSN: 83976
orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb
nameAlias: test@sub.ad.pb
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: S-1-5-21-3940105347-3434501867-2690409756-513
objectClass: group
lastUpdate: 1377857076
dataExpireTimestamp: 1377857075
isPosix: FALSE
objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513
member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
memberuid: subaduser@sub.ad.pb
distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb

'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb'''
createTimestamp: 1377857076
gidNumber: 1751600513
name: Domain Users
objectClass: group
'''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513'''
originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb
originalModifyTimestamp: 20130411080423.0Z
entryUSN: 12350
nameAlias: domain users
isPosix: TRUE
lastUpdate: 1377857076
dataExpireTimestamp: 1377862476
distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb
}}}

The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong. However, it is also stored under cn=AD,PB and here is the SID resolved. Domain Users from sub.ad.pb is also present in the sysdb.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.1
rhbz: => 0

Fields changed

owner: somebody => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.11.1

2 years ago

Login to comment on this ticket.

Metadata