#3516 Ubuntu 14.04 + sssd + Active Directory -- can't see users in trusted domains within same forest
Closed: wontfix a year ago by pbrezina. Opened 3 years ago by jsilve1.

Hi! Please help. Everything I've read has stated that this should work, but it does not. On ubuntu, that is. I set up a Centos 7 box and this did work. I've tried this on

  • Ubuntu 14.04 with sssd 1.11.8 (from the default Ubuntu 14.04 repos) -- didn't work
  • Ubuntu 14.04 with sssd 1.13.4 (from a PPA) -- also didn't work
  • Centos 7 with sssd 1.14.0 -- This worked!
  • Ubuntu 16.04 with sssd 1.13.4 -- this did not work

Description

I have two Active Directory domains in the same forest.

  • Domain "CORP"
  • Domain "QA"

I have 2-way trusts set up between the domains.

"Real users" are all in CORP

Authorization into QA is handled with AD Universal Groups, but I don't think that's relevant here (especially since what I want to work does work on Centos 7+sssd)

I have an Ubuntu 14.04 box set up which I joined to domain "QA" via realmd. here's the actual command I used

realm join \
    --install=/ \
    --verbose \
    --user=jsilverman@CORP.EXAMPLE.COM \
    --client-software=sssd \
    --membership-software=adcli \
    --computer-ou="OU=Linux,OU=Servers,DC=qa,DC=example,DC=com" \
    QA.EXAMPLE.COM

Running this command, realmd
creates a kerberos keytab
sets up sssd.conf
* adds the computer to the OU specified in QA.EXAMPLE.COM

I then went in and added another domain to sssd.conf to configure CORP. When done, I have the following config files:

File /etc/sssd.conf :

[sssd]
domains = qa.example.com
config_file_version = 2
services = nss, pam

[domain/qa.example.com]
ad_domain = qa.example.com
krb5_realm = QA.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /srv/home/%u
access_provider = ad
enumerate = True

[domain/corp.example.com]
ad_domain = corp.example.com
krb5_realm = CORP.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /srv/home/%u
access_provider = ad
enumerate = True

File /etc/krb5.conf :

[libdefaults]
    default_realm = QA.EXAMPLE.COM

[realms]
QA.EXAMPLE.COM = {
    kdc = qadc01a.example.com
    kdc = qadc01b.example.com
    admin_server = qadc01a.example.com
}
CORP.EXAMPLE.COM = {
    kdc = corpdc01a.it.example.com
    kdc = corpdc01b.it.example.com
    admin_server = corpdc01a.it.example.com
}


[domain_realm]
.qa.example.com = QA.EXAMPLE.COM
qa.example.com = QA.EXAMPLE.COM
.corp.example.com = CORP.EXAMPLE.COM
corp.example.com = CORP.EXAMPLE.COM

File /etc/realmd.conf :

[service]
automatic-install = no

[users]
default-home = /srv/home/%U
default-shell = /bin/bash

[qa.example.com]
computer-ou = OU=Servers,OU=Linux,DC=qa,DC=example,DC=com
automatic-id-mapping = yes
fully-qualified-names = no

[corp.example.com]
automatic-id-mapping = yes
fully-qualified-names = no

Finally, when I do all this on Centos 7, I am able to find users in both domains, and I'm able to authenticate as those users from both domains. Example , on Centos 7:

# getent passwd  jsilverman@corp.example.com
jsilverman@corp.example.com:*:363201124:363201124:Jeff Silverman:/srv/home/jsilverman:/bin/bash
# getent passwd qatestadmin
qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash
# getent passwd qatestadmin@qa.example.com
qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash

HOWEVER, when I do all this on Ubuntu 14.04, OR on Ubuntu 16.04, I can only see users from the QA domain.

# getent passwd  jsilverman@corp.example.com    ## (Note: there is no output from this command)
# getent passwd qatestadmin
qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash
# getent passwd qatestadmin@qa.example.com
qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash

Please advise!


Please generate logs as per https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

I would ask to generate logs with enumerate=false because enumeration emit too many log messages.

Please also only generate the logs with 1.13.4 from your setup as the other versions are no longer supported - we have a new minor release in the 1.14 branch and 1.11 has been unsupported for a long time.

One more update:

I tried this on Ubuntu 17.04 with native 17.04 repository and it works.

sssd => 1.15.2-1ubuntu1

I'm generating logs off the 14.04 box now

sssd-logs-send-to-bug-tracker.tar.gz

I've sanitized the logs and replaced all internal domain refs with "example.com" domain references.

These logs were generated with sssd v1.13.4

I've been trying to find a newer pre-built sssd 1.14 or 1.15 for ubuntu 14.04 but that doesn't seem to exist. Any ideas on that? Or do I need to build this from source?

Thanks!

Metadata Update from @pbrezina:
- Issue tagged with: Canditate to close

a year ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4542

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata
Attachments 1