#2650 Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1219844

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

+++ This bug was initially created as a clone of Bug #1219285 +++

Description of problem:
When using RHEL 7.1 client with SSSD (sssd-1.12.2-58.el7_1.6.x86_64) AD group
memberships are not resolved.

When using RHEL 6.6 client with SSSD (sssd-1.11.6-30.el6_6.4.x86_64) AD group
memberships are resolved.









Version-Release number of selected component (if applicable):
Client:
 :: Red Hat Enterprise Linux Server release 7.1 (Maipo)
  :: sssd-1.12.2-58.el7_1.6.x86_64

Server:
 :: Red Hat Enterprise Linux Server release 6.6 (Santiago)
  :: ipa-server-3.0.0-42.el6.x86_64

How reproducible:
Every time.

Steps to Reproduce:
1. Install RHEL 6.6 IPA server configured with trust to Windows 2012 R2 Active
Directory.
 - Users in AD:
     hjensas, rhel6user
 - Groups in AD:
     nix-users
   : nix-users group Members: hjensas, rhel6user
2. Groups in IPA
   ipa group-add --desc='AD nix users external map' ad_nix-users_external
--external
   ipa group-add --desc='AD nix-users' nix-users
   ipa group-add-member ad_nix-users_external --external
"nix-users@example.com"
   ipa group-add-member nix-users --groups ad_nix-users_external
...
[root@ipa01 ~]# ipa group-show ad_nix-users_external
  Group name: ad_nix-users_external
  Description: AD nix users external map
  Member of groups: nix-users
  External member: S-1-5-21-3630949036-529635555-1148799846-1115
[root@ipa01 ~]# ipa group-show nix-users
  Group name: nix-users
  Description: AD nix-users
  GID: 100004
  Member groups: ad_nix-users_external
...
3. Install RHEL 7.1 from DVD and attach subscription.
4. On RHEL 7.1 client:
 :: subscription-manager repos --disable=*
 :: subscription-manager repos --enable=rhel-7-server-rpms
 :: yum install ipa-client -y ; yum update -y
 :: reboot
 :: ipa-client-install

5. On RHEL 7.1 client - Add auth_to_local rules in krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = NIX.EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  NIX.EXAMPLE.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    auth_to_local =
RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@EXAMPLE.COM/@example.com/
    auth_to_local =
RULE:[1:$1@$0](^.*@NIX.EXAMPLE.COM$)s/@NIX.EXAMPLE.COM/@nix.example.com/
    auth_to_local = DEFAULT
  }

[domain_realm]
  .nix.example.com = NIX.EXAMPLE.COM
  nix.example.com = NIX.EXAMPLE.COM

6. On RHEL 7.1 client - add PAC service in sssd
[domain/nix.example.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient-rhel7.nix.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa01.nix.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
debug_level = 9
services = nss, sudo, pam, ssh, pac
config_file_version = 2
domains = nix.example.com
default_domain_suffix = example.com

[nss]
debug_level = 9
homedir_substring = /home

[pam]
debug_level = 9

[sudo]
debug_level = 9

[autofs]
debug_level = 9

[ssh]
debug_level = 9

[pac]
debug_level = 9

[ifp]
debug_level = 9



Actual results:
___ RHEL 7.1 client, UNSUCCESSFUL resolving nix-users membership ___
$ ssh hjensas@ipaclient-rhel7.nix.example.com
hjensas@ipaclient-rhel7.nix.example.com's password:
Last failed login: Thu May  7 01:38:01 CEST 2015 from 192.168.102.1 on
ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu May  7 01:24:47 2015 from 192.168.102.1
Could not chdir to home directory /home/example.com/hjensas: No such file or
directory
-sh-4.2$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.1 (Maipo)
-sh-4.2$ id
uid=806601104(hjensas@example.com) gid=806601104(hjensas@example.com)
groups=806601104(hjensas@example.com)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

___ RHEL 6.6 client, SUCCESS resolving nix-users membership ___
$ ssh hjensas@idmclient01.nix.example.com
hjensas@idmclient01.nix.example.com's password:
Last login: Thu May  7 01:21:17 2015 from 192.168.102.1
Could not chdir to home directory /home/example.com/hjensas: No such file or
directory
-bash-4.1$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
-bash-4.1$ id
uid=806601104(hjensas@example.com) gid=806601104(hjensas@example.com)
groups=806601104(hjensas@example.com),100004(nix-users)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
RHEL 7.1 client should be able to resolve group membership via PAC, like the
RHEL 6.6 client can using the same IPA server with AD Trust.

Additional info:
SOS reports from all systems, RHEL 6 IPA server, RHEL 6 IPA client and RHEL 7
IPA client attached.

--- Additional comment from Harald Jens?s on 2015-05-06 19:59:02 EDT ---



--- Additional comment from Harald Jens?s on 2015-05-06 20:01:27 EDT ---



--- Additional comment from Harald Jens?s on 2015-05-06 20:03:03 EDT ---



--- Additional comment from RHEL Product and Program Management on 2015-05-06
20:06:31 EDT ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Sumit Bose on 2015-05-07 04:55:32 EDT ---

I think a change in the pac responder caused this. I will prepare a test build.

--- Additional comment from Sumit Bose on 2015-05-07 08:04:53 EDT ---

It is not related to the PAC responder but to the new code which tries to
determine if the client has assigned a view. Older versions of 398ds return an
error here but it looks there is a different error code used by different
releases. In the given case it is '389-Directory/1.2.11.15' and it returns
LDAP_PROTOCOL_ERROR. Newer versions (I tested with '389-Directory/1.3.3.8')
return LDAP_UNAVAILABLE_CRITICAL_EXTENSION.

The LDAP_UNAVAILABLE_CRITICAL_EXTENSION is already handle correctly by SSSD,
support must be added for the LDAP_PROTOCOL_ERROR case.

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => sbose
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

patch: 0 => 1

milestone: NEEDS_TRIAGE => SSSD 1.12.5

Fields changed

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3691

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata