Issue #4124: Impossible to enforce GID on the AD's "domain users" group in the IPA-AD trust setup - sssd

SSSD / sssd

#4124 Impossible to enforce GID on the AD's "domain users" group in the IPA-AD trust setup

Closed: Fixed 4 years ago by mzidek. Opened 4 years ago by pbrezina.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1765246

Description of problem:
It' impossible to enforce GID on the AD's "domain users" group in the IPA-AD
trust setup. This is one of the requirements for replacing an existing software
with sssd for AD integration.


Version-Release number of selected component (if applicable):
sssd: 1.16.4-21
ipa: 4.6.5.11


How reproducible:
The issue can easily be reproduced.


Steps to Reproduce:
*******************
On the IPA server
*******************
- Create a one way trust between AD and IPA
- Create an AD user
# id -a 'AD\amorgan'
uid=130801107(amorgan@ad.testdomain.com)
gid=130801107(amorgan@ad.testdomain.com) groups=130801107(amorgan@ad.testdomain
.com),130801111(managers@ad.testdomain.com),130800513(domain
users@ad.testdomain.com)

- Create a mapping
# ipa idoverridegroup-add 'Default Trust View' "domain users@ad.testdomain.com"
--gid=40000000
--------------------------------------------------------
Added Group ID override "domain users@ad.testdomain.com"
--------------------------------------------------------
  Anchor to override: domain users@ad.testdomain.com
  GID: 40000000

- Stop the sssd, clear the cache, restart the sssd

- Attempt to retrieve the user again:
# id -a 'AD\amorgan'
uid=130801107(amorgan@ad.testdomain.com)
gid=130801107(amorgan@ad.testdomain.com) groups=130801107(amorgan@ad.testdomain
.com),130801111(managers@ad.testdomain.com),40000000(domain
users@ad.testdomain.com),130800513
<<<<Notice that the "domain users@ad.testdomain.com" has two gids, 40000000(new
gid) and 130800513(old gid)


*******************
On the IPA client
*******************
id -a 'AD\amorgan' cannot no longer find the user on the IPA client despite
stopping sssd, clear the cache and restart sssd.

- Delete the existing mapping on the IPA server, stop sssd, clear the cache and
restart sssd on both IPA server and IPA client, all works again.

*******************
On the IPA server
*******************
- Create a new AD group called "Special Users" and assigned the user amorgan to
the group.
# id -a 'AD\amorgan'
uid=130801107(amorgan@ad.testdomain.com)
gid=130801107(amorgan@ad.testdomain.com)
groups=130801107(amorgan@ad.testdomain.com),130801133(special
users@ad.testdomain.com),130801111(managers@ad.testdomain.com),130800513(domain
users@ad.testdomain.com)

- Create a new mapping
# ipa idoverridegroup-add 'Default Trust View' "Special
Users@ad.testdomain.com" --gid=40000000
---------------------------------------------------------
Added Group ID override "Special Users@ad.testdomain.com"
---------------------------------------------------------
  Anchor to override: special users@ad.testdomain.com
  GID: 40000000

- Able to retrieve the user on the IPA server after stopping sssd, clearing the
cache and restart the sssd service:
# id -a 'AD\amorgan'
uid=130801107(amorgan@ad.testdomain.com)
gid=130801107(amorgan@ad.testdomain.com)
groups=130801107(amorgan@ad.testdomain.com),40000000(special
users@ad.testdomain.com),130801111(managers@ad.testdomain.com),130800513(domain
users@ad.testdomain.com)


*******************
On the IPA client
*******************
'id -a 'AD\amorgan' worked equally fine on  the IPA client, so the white space
between the groupname is not the issue.

Actual results:


Expected results:


Additional info:

Metadata Update from @pbrezina:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1765246

4 years ago

pbrezina commented 4 years ago

PR: https://github.com/SSSD/sssd/pull/954

Metadata Update from @pbrezina:
- Issue tagged with: PR, bug

4 years ago

mzidek commented 4 years ago

master:
03bc962

mzidek commented 4 years ago

Will wait for 1.16 PR to be merged before closing this isssue.

mzidek commented 4 years ago

sssd-1-16
80e6f71

Metadata Update from @mzidek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5085

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1765246

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#4124 Impossible to enforce GID on the AD's "domain users" group in the IPA-AD trust setup Closed: Fixed 4 years ago by mzidek. Opened 4 years ago by pbrezina.

Metadata

PR bug

#4124 Impossible to enforce GID on the AD's "domain users" group in the IPA-AD trust setup

Closed: Fixed 4 years ago by mzidek. Opened 4 years ago by pbrezina.