Issue #3943: Setting GID value in ID view makes AD users invisible - sssd

SSSD / sssd

#3943 Setting GID value in ID view makes AD users invisible

Closed: cloned-to-github 3 years ago by pbrezina. Opened 5 years ago by knuppes.

The setup:
IPA Server 4.6.4-10.el7_6.2. with trust against Windows 2008 R2, IPA client 4.6.4-10.el7_6.2

The problem:

[root@rhelclient01 ~]# id test2
uid=1248201106(test2@myaddomain.de) gid=1248201106(test2@myaddomain.de) groups=1248201106(test2@myaddomain.de),1248200513(domain users@myaddomain.de)

When I put an ID view for that user in IPA and only put in the UID value it works fine, as well:

[root@rhelclient01 ~]# id test2
uid=1001(test2@myaddomain.de) gid=1248201106(test2@myaddomain.de) groups=1248201106(test2@myaddomain.de),1248200513(domain users@myaddomain.de)

But when I fill in the 1001 for the GID value in the user is not visible from the client anymore
[root@rhelclient01 ~]# id test2
id: test2: no such user

In sssd logfiles I see in the good case:
[ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [test2] to IPA server

... and in the bad case:
[ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [S-1-5-21-653292258-51847207-622671684-1129] to IPA server

In summary: when the GID value is set in ID view, sssd tries to fetch the user by SID instead of username. This happens ONLY when GID value is set, all other ID view fields seems to work fine

jhrozek commented 5 years ago

It is hard to say without seeing the logs, but does the issue sound like https://bugzilla.redhat.com/show_bug.cgi?id=1644902 and/or https://github.com/SSSD/sssd/pull/693?

In other words, does the overriden GID resolve to anything?

knuppes commented 5 years ago

Unfortunately my case seems to be something completely different:

When I try to override the GID the user can not be found at all anymore for some reason. So the overriden GID cannot resolve to anything

jhrozek commented 5 years ago

What I meant by 'resolve to anything' was if the GID override is set maybe to a value of an existing IPA group.

knuppes commented 5 years ago

I tried both and it seems to make no difference.

As soon as I set any GID value in the override, sssd tries to search for a user with the value of the SID of the user instead of the username... and can not find the user anymore

I have an IPA Server/Client/AD running as a test environment in Azure. If you are interested I can put your public key on the VMs, so you can easily validate the issue.

Metadata Update from @pbrezina:
- Issue tagged with: Future milestone

4 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4921

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

minor

Milestone

None

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

None

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3943 Setting GID value in ID view makes AD users invisible Closed: cloned-to-github 3 years ago by pbrezina. Opened 5 years ago by knuppes.

Metadata

Future milestone

#3943 Setting GID value in ID view makes AD users invisible

Closed: cloned-to-github 3 years ago by pbrezina. Opened 5 years ago by knuppes.