#2190 Group membership lookup issue
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1049533

Description of problem:
Issue with SSSD group membership lookup

Version-Release number of selected component (if applicable):
[root@dhcp207-43 ~]# rpm -q sssd
sssd-1.11.2-19.el7.x86_64
[root@dhcp207-43 ~]# rpm -q ipa-server
ipa-server-3.3.3-8.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup AD trust
2. Add users in AD
3. Add posix group ad_users
4. Add external group ad_users_ext
5. Add ad_users_ext to ad_users group
6. Add aduser1 user to ad_user_ext group
7. Check id aduser1@domain.com for ad user group memberships on IPA

Actual results:
[root@dhcp207-43 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-43 ~]# getent passwd aduser1@adtest.qe
aduser1@adtest.qe:*:1148401313:1148401313:ads user:/:

[root@dhcp207-43 ~]# ipa group-show ad_users
  Group name: ad_users
  Description: ad_users local group
  GID: 1741800004
  Member groups: ad_users_ext
  Member of HBAC rule: testrule

[root@dhcp207-43 ~]# ipa group-show ad_users_ext
  Group name: ad_users_ext
  Description: ad_users external map
  Member of groups: ad_users
  Indirect Member of HBAC rule: testrule
  External member: S-1-5-21-1910160501-511572375-3625658879-1313

[root@dhcp207-43 ~]# wbinfo -n 'ADTEST\aduser1'
S-1-5-21-1910160501-511572375-3625658879-1313 SID_USER (1)

[root@dhcp207-43 ~]# id 'ADTEST\aduser1'
uid=1148401313(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe)
groups=1148401313(aduser1@adtest.qe),1148400513(domain users@adtest.qe)

[root@dhcp207-43 ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  <sourcehostcategory>: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE

  Rule name: testrule
  Description: test
  Enabled: TRUE
  User Groups: ad_users
  Hosts: dhcp207-43.testrelm.com
  Services: sshd
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp207-43 ~]# ipa hbactest --user 'aduser1@adtest.qe' --host `hostname`
--service sshd
--------------------
Access granted: True
--------------------
  Matched rules: allow_all
  Not matched rules: testrule

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
patch: 0 => 1
review: True => 0
selected: =>
testsupdated: => 0

milestone: NEEDS_TRIAGE => SSSD 1.11.4
resolution: => fixed
status: new => closed

Fields changed

changelog: => A bugfix for IPA server mode.

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.11.4

2 years ago

Login to comment on this ticket.

Metadata