Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1765246
Description of problem: It' impossible to enforce GID on the AD's "domain users" group in the IPA-AD trust setup. This is one of the requirements for replacing an existing software with sssd for AD integration. Version-Release number of selected component (if applicable): sssd: 1.16.4-21 ipa: 4.6.5.11 How reproducible: The issue can easily be reproduced. Steps to Reproduce: ******************* On the IPA server ******************* - Create a one way trust between AD and IPA - Create an AD user # id -a 'AD\amorgan' uid=130801107(amorgan@ad.testdomain.com) gid=130801107(amorgan@ad.testdomain.com) groups=130801107(amorgan@ad.testdomain .com),130801111(managers@ad.testdomain.com),130800513(domain users@ad.testdomain.com) - Create a mapping # ipa idoverridegroup-add 'Default Trust View' "domain users@ad.testdomain.com" --gid=40000000 -------------------------------------------------------- Added Group ID override "domain users@ad.testdomain.com" -------------------------------------------------------- Anchor to override: domain users@ad.testdomain.com GID: 40000000 - Stop the sssd, clear the cache, restart the sssd - Attempt to retrieve the user again: # id -a 'AD\amorgan' uid=130801107(amorgan@ad.testdomain.com) gid=130801107(amorgan@ad.testdomain.com) groups=130801107(amorgan@ad.testdomain .com),130801111(managers@ad.testdomain.com),40000000(domain users@ad.testdomain.com),130800513 <<<<Notice that the "domain users@ad.testdomain.com" has two gids, 40000000(new gid) and 130800513(old gid) ******************* On the IPA client ******************* id -a 'AD\amorgan' cannot no longer find the user on the IPA client despite stopping sssd, clear the cache and restart sssd. - Delete the existing mapping on the IPA server, stop sssd, clear the cache and restart sssd on both IPA server and IPA client, all works again. ******************* On the IPA server ******************* - Create a new AD group called "Special Users" and assigned the user amorgan to the group. # id -a 'AD\amorgan' uid=130801107(amorgan@ad.testdomain.com) gid=130801107(amorgan@ad.testdomain.com) groups=130801107(amorgan@ad.testdomain.com),130801133(special users@ad.testdomain.com),130801111(managers@ad.testdomain.com),130800513(domain users@ad.testdomain.com) - Create a new mapping # ipa idoverridegroup-add 'Default Trust View' "Special Users@ad.testdomain.com" --gid=40000000 --------------------------------------------------------- Added Group ID override "Special Users@ad.testdomain.com" --------------------------------------------------------- Anchor to override: special users@ad.testdomain.com GID: 40000000 - Able to retrieve the user on the IPA server after stopping sssd, clearing the cache and restart the sssd service: # id -a 'AD\amorgan' uid=130801107(amorgan@ad.testdomain.com) gid=130801107(amorgan@ad.testdomain.com) groups=130801107(amorgan@ad.testdomain.com),40000000(special users@ad.testdomain.com),130801111(managers@ad.testdomain.com),130800513(domain users@ad.testdomain.com) ******************* On the IPA client ******************* 'id -a 'AD\amorgan' worked equally fine on the IPA client, so the white space between the groupname is not the issue. Actual results: Expected results: Additional info:
Metadata Update from @pbrezina: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1765246
PR: https://github.com/SSSD/sssd/pull/954
Metadata Update from @pbrezina: - Issue tagged with: PR, bug
master: 03bc962
Will wait for 1.16 PR to be merged before closing this isssue.
sssd-1-16 80e6f71
Metadata Update from @mzidek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5085
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.