#3595 ID override GID from Default Trust View is not properly resolved in case domain resolution order is set
Closed: Fixed 6 years ago Opened 7 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1514061

Description of problem:

Setup: IdM with AD Trust. A Posix group 'ad_admins' (GID 732000006) exists with
one member 'ad_admins_external'. The member of the external group is the
Windows Domain Admins group. There also exists a Windows Domain User 'aduser'
with UID/GID 702801104.

Without any ID override or domain resolution order defined, 'id
aduser@windows.mylab.local' gives the following output:

# id aduser@windows.mylab.local
uid=702801104(aduser@windows.mylab.local)
gid=702801104(aduser@windows.mylab.local) groups=702801104(aduser@windows.mylab
.local),732000005(ad_users),702800513(domain users@windows.mylab.local)

Now I define an ID override in the Default Trust View for the 'aduser' to
change the GID to 732000006:

# ipa idoverrideuser-add 'Default Trust View' aduser@windows.mylab.local
--gidnumber=732000006

I clean the cache and verify that the user now uses the GID from the ID
override:

# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/* /var/log/sssd/*; systemctl
start sssd
# id aduser@windows.mylab.local
uid=702801104(aduser@windows.mylab.local) gid=732000006(ad_admins)
groups=732000006(ad_admins),732000005(ad_users),702800513(domain
users@windows.mylab.local)

This works as expected.

Now I change the domain resolution order so that I don't have to use the domain
name when I refer to the 'aduser' account:

# ipa config-mod
--domain-resolution-order=windows.mylab.local:linux.mylab.local
# ipa config-show|grep -i resolution
  Domain resolution order: windows.mylab.local:linux.mylab.local

I clean the cache and verify again that the 'aduser' account still uses the GID
from the ID override:

# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd
# id aduser
uid=702801104(aduser@windows.mylab.local)
gid=732000006(aduser@windows.mylab.local) groups=732000006(aduser@windows.mylab
.local),732000005(ad_users@linux.mylab.local),702800513(domain
users@windows.mylab.local)

As we can see, the user still uses the correct GID from the ID override
(732000006), but the GID is resolved to the wrong group name ('aduser' instead
of 'ad_admins').

Also using the domain with the user name doesn't change this behaviour:

# id aduser@windows.mylab.local
uid=702801104(aduser@windows.mylab.local)
gid=732000006(aduser@windows.mylab.local) groups=732000006(aduser@windows.mylab
.local),732000005(ad_users@linux.mylab.local),702800513(domain
users@windows.mylab.local)

Looking into the SSSD logs, shows that SSSD indeed tries to resolve the GID
732000005 (adusers) rather than 732000006 (ad_admins):

(Thu Nov 16 16:03:19 2017) [sssd[be[linux.mylab.local]]]
[dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][id
number=732000005]

When I remove the domain resolution order, everything works as expected again:

# ipa config-mod --domain-resolution-order=
# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

# id aduser@windows.mylab.local
uid=702801104(aduser@windows.mylab.local) gid=732000006(ad_admins)
groups=732000006(ad_admins),732000005(ad_users),702800513(domain
users@windows.mylab.local)

In the SSSD logs we can now also see that SSSD tries to resolve the correct GID
(732000006):

(Thu Nov 16 16:06:07 2017) [sssd[be[linux.mylab.local]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x2][BE_REQ_GROUP][idnumber=732000006]


Version-Release number of selected component (if applicable):
sssd-1.15.2-50.el7_4.6.x86_64
ipa-server-4.5.0-21.el7_4.2.2.x86_64


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1514061

7 years ago

Metadata Update from @jhrozek:
- Issue assigned to fidencio
- Issue tagged with: bug

7 years ago

Metadata Update from @fidencio:
- Custom field patch adjusted to on

7 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

7 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR

7 years ago

Metadata Update from @jhrozek:
- Issue priority set to: critical

6 years ago

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4618

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Log in to comment on this ticket.

Metadata