#2647 external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1211830

Description of problem:
When in an AD trust, IPA fails to return user information from the extdom call
if a external user is a member of an IPA group with the "default_domain_suffix"
setting configured in the IPA server's sssd.conf.  The user information is
complete and accurate when viewed on the IPA server itself, but no information
is returned to a client requesting that user, leading to complete identity
failure on clients.

"default_domain_suffix" is set on the IPA servers, along with all the clients,
as a convenience for administrators and users to avoid using their
fully-qualified names.  Although we can work around this bug by not setting
that value, we'd like to not have a unique configuration only on the IPA
servers.


Version-Release number of selected component (if applicable):
ipa-server-4.1.0-18.el7_1.3.x86_64
sssd-1.12.2-58.el7_1.6.x86_64


How reproducible:
always


Steps to Reproduce:
* setup an AD trust with POSIX attributes
* create user "test1"
* add user to "biggroup"
* ensure POSIX attributes are set on both the user and group

* on the IPA server, set default_domain_suffix in [sssd] section:
grep default_domain_suffix /etc/sssd/sssd.conf

ipa group-del ad_biggroup
ipa group-del external_biggroup

service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start

id test1@example.com

ipa group-add --desc 'external - biggroup' --external external_biggroup
ipa group-add-member --users='' --groups='' --external 'EXAMPLE\biggroup'
external_biggroup

ipa group-add --desc 'ad - biggroup' ad_biggroup
ipa group-add-member --users='' --groups=external_biggroup ad_biggroup

service sssd stop
rm -f /var/lib/sss/{db,mc}/*
rm -f /var/log/sssd/*
service sssd start

id test1@example.com


* on the IPA client:
service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start; id
test1@example.com


Actual results:
* on the IPA server without default_domain_suffix on the server:
grep default_domain_suffix /etc/sssd/sssd.conf; id test1@example.com
#default_domain_suffix = example.com
uid=10000(test1@example.com) gid=10000(domain users@example.com)
groups=10000(domain
users@example.com),730800023(ad_biggroup),10001(biggroup@example.com)

* on the IPA server with default_domain_suffix on the server:
grep default_domain_suffix /etc/sssd/sssd.conf; id test1@example.com
default_domain_suffix = example.com
uid=10000(test1@example.com) gid=10000(domain users@example.com)
groups=10000(domain
users@example.com),730800023(ad_biggroup),10001(biggroup@example.com)

* on the IPA client without default_domain_suffix on the server:
service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start; id
test1@example.com
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
uid=10000(test1@example.com) gid=10000(domain users@example.com)
groups=10000(domain
users@example.com),730800023(ad_biggroup),10001(biggroup@example.com)

* on the IPA client with default_domain_suffix on the server:
service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start; id
test1@example.com
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
id: test1@example.com: no such user


Expected results:
* on the IPA server:
grep default_domain_suffix /etc/sssd/sssd.conf; id test1@example.com
default_domain_suffix = example.com
uid=10000(test1@example.com) gid=10000(domain users@example.com)
groups=10000(domain
users@example.com),730800023(ad_biggroup),10001(biggroup@example.com)

* on the IPA client:
service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start; id
test1@example.com
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
uid=10000(test1@example.com) gid=10000(domain users@example.com)
groups=10000(domain
users@example.com),730800023(ad_biggroup),10001(biggroup@example.com)


Additional info:
I put this bug under ipa because it only seems related to the extdom plugin in
IPA.  The user information is complete when querying on the IPA server, though
the bug is triggered by the sssd setting.  So not sure exactly in which
component the problem lies.

This is only an issue with sssd 1.12+ where the complete group information is
returned via the IPA extdom plugin, so technically it is a regression because
identity information is not returned and existing IPA environments are broken.
Prior to sssd 1.12, where group information was only completed via PAC, RHEL6
and RHEL7 clients had no issue resolving users' identities.

There is a server and a client side for this issue. The server side is already covered by #2569. This ticket will track the client side. If default_domain_suffix is set on the server side and hence fully-qualified names are used for the IPA domain the extdom plugin will return fully-qualified names for IPA objects as well. There are areas in the client code which do not handle this correctly.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

owner: somebody => sbose
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3688

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata