Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1514061
Description of problem: Setup: IdM with AD Trust. A Posix group 'ad_admins' (GID 732000006) exists with one member 'ad_admins_external'. The member of the external group is the Windows Domain Admins group. There also exists a Windows Domain User 'aduser' with UID/GID 702801104. Without any ID override or domain resolution order defined, 'id aduser@windows.mylab.local' gives the following output: # id aduser@windows.mylab.local uid=702801104(aduser@windows.mylab.local) gid=702801104(aduser@windows.mylab.local) groups=702801104(aduser@windows.mylab .local),732000005(ad_users),702800513(domain users@windows.mylab.local) Now I define an ID override in the Default Trust View for the 'aduser' to change the GID to 732000006: # ipa idoverrideuser-add 'Default Trust View' aduser@windows.mylab.local --gidnumber=732000006 I clean the cache and verify that the user now uses the GID from the ID override: # systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/* /var/log/sssd/*; systemctl start sssd # id aduser@windows.mylab.local uid=702801104(aduser@windows.mylab.local) gid=732000006(ad_admins) groups=732000006(ad_admins),732000005(ad_users),702800513(domain users@windows.mylab.local) This works as expected. Now I change the domain resolution order so that I don't have to use the domain name when I refer to the 'aduser' account: # ipa config-mod --domain-resolution-order=windows.mylab.local:linux.mylab.local # ipa config-show|grep -i resolution Domain resolution order: windows.mylab.local:linux.mylab.local I clean the cache and verify again that the 'aduser' account still uses the GID from the ID override: # systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd # id aduser uid=702801104(aduser@windows.mylab.local) gid=732000006(aduser@windows.mylab.local) groups=732000006(aduser@windows.mylab .local),732000005(ad_users@linux.mylab.local),702800513(domain users@windows.mylab.local) As we can see, the user still uses the correct GID from the ID override (732000006), but the GID is resolved to the wrong group name ('aduser' instead of 'ad_admins'). Also using the domain with the user name doesn't change this behaviour: # id aduser@windows.mylab.local uid=702801104(aduser@windows.mylab.local) gid=732000006(aduser@windows.mylab.local) groups=732000006(aduser@windows.mylab .local),732000005(ad_users@linux.mylab.local),702800513(domain users@windows.mylab.local) Looking into the SSSD logs, shows that SSSD indeed tries to resolve the GID 732000005 (adusers) rather than 732000006 (ad_admins): (Thu Nov 16 16:03:19 2017) [sssd[be[linux.mylab.local]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][id number=732000005] When I remove the domain resolution order, everything works as expected again: # ipa config-mod --domain-resolution-order= # systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd # id aduser@windows.mylab.local uid=702801104(aduser@windows.mylab.local) gid=732000006(ad_admins) groups=732000006(ad_admins),732000005(ad_users),702800513(domain users@windows.mylab.local) In the SSSD logs we can now also see that SSSD tries to resolve the correct GID (732000006): (Thu Nov 16 16:06:07 2017) [sssd[be[linux.mylab.local]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][idnumber=732000006] Version-Release number of selected component (if applicable): sssd-1.15.2-50.el7_4.6.x86_64 ipa-server-4.5.0-21.el7_4.2.2.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1514061
Metadata Update from @jhrozek: - Issue assigned to fidencio - Issue tagged with: bug
Metadata Update from @fidencio: - Custom field patch adjusted to on
PR: https://github.com/SSSD/sssd/pull/464
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.2
Metadata Update from @jhrozek: - Issue tagged with: PR
Metadata Update from @jhrozek: - Issue priority set to: critical
master: cf4f5e0
Metadata Update from @fidencio: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4618
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.