freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#3637 extdom plugin considers only one trusted range

Created 5 years ago by steeve
Modified a year ago

In the following output aduser1\@adlabs.com UID should be 1436801207 coming from ADLABS.COM_id_range, even after a new trusted range for the same domain is added. It gets UID 1557001207 assigned from the new added ad_range, which should not be the case.

[root@server1 ~]# /usr/bin/ipa trust-add --type=ad adlabs.com --admin administrator --password --range-size 2000
Active directory domain administrator's password:
---------------------------------------------------
Added Active Directory trust for realm "adlabs.com"
---------------------------------------------------
  Realm name: adlabs.com
  Domain NetBIOS name: ADLABS
  Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
                          S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
                          S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
                          S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
                          S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
                          S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@server1 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlabs.com
  Domain NetBIOS name: ADLABS
  Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@server1 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADLABS.COM_id_range
  First Posix ID of the range: 1436800000
  Number of IDs in the range: 2000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 650800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@server1 ~]# id -u administrator@adlabs.com
1436800500

[root@server1 ~]# sleep 15; id -u aduser1@adlabs.com
1436801207

[root@server1 ~]# wbinfo -n aduser1@adlabs.com
S-1-5-21-3069109027-1612402048-776712048-1207 SID_USER (1)

[root@server1 ~]# ipa idrange-mod ADLABS.COM_id_range --range-size 1207
---------------------------------------
Modified ID range "ADLABS.COM_id_range"
---------------------------------------
  Range name: ADLABS.COM_id_range
  First Posix ID of the range: 1436800000
  Number of IDs in the range: 1207
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048
  Range type: Active Directory domain range

[root@server1 ~]# wbinfo -n aduser2@adlabs.com
S-1-5-21-3069109027-1612402048-776712048-1208 SID_USER (1)

[root@server1 ~]# service sssd stop
Redirecting to /bin/systemctl stop  sssd.service

[root@server1 ~]# rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/*

[root@server1 ~]# service sssd startRedirecting to /bin/systemctl start  sssd.service

[root@server1 ~]# id -u aduser1@adlabs.com
id: aduser1@adlabs.com: no such user

[root@server1 ~]# id -u aduser2@adlabs.com
id: aduser2@adlabs.com: no such user

[root@server1 ~]# ipa idrange-mod ADLABS.COM_id_range --range-size 1208
---------------------------------------
Modified ID range "ADLABS.COM_id_range"
---------------------------------------
  Range name: ADLABS.COM_id_range
  First Posix ID of the range: 1436800000
  Number of IDs in the range: 1208
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048
  Range type: Active Directory domain range

[root@server1 ~]# sleep 15; id -u aduser1@adlabs.com    <<<<<<<<<<<<<<<<<<<
1436801207

[root@server1 ~]# sleep 15; id -u aduser2@adlabs.com
id: aduser2@adlabs.com: no such user

[root@server1 ~]# /usr/bin/ipa idrange-add --dom-sid S-1-5-21-3069109027-1612402048-776712048 --rid-base 1208 --base-id 1557000000 --range-size 1210 ad_range
-------------------------
Added ID range "ad_range"
-------------------------
  Range name: ad_range
  First Posix ID of the range: 1557000000
  Number of IDs in the range: 1210
  First RID of the corresponding RID range: 1208
  Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048
  Range type: Active Directory domain range

[root@server1 ~]# id -u aduser1@adlabs.com1436801207

[root@server1 ~]# sleep 15; id -u aduser2@adlabs.com
1557001208

[root@server1 ~]# service sssd stop
Redirecting to /bin/systemctl stop  sssd.service

[root@server1 ~]# rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/*

[root@server1 ~]# service sssd startRedirecting to /bin/systemctl start  sssd.service

[root@server1 ~]# id -u aduser1@adlabs.com               <<<<<<<<<<<<<<<<<<<<<
1557001207

[root@server1 ~]# id -u aduser2@adlabs.com
1557001208

[root@server1 ~]# sleep 15; id -u aduser3@adlabs.com
1557001209

To fix this an extension to libsss_idmap is needed which is tracked in https://fedorahosted.org/sssd/ticket/1938 .

As per triage meeting, it is not clear if we will need this fix. As Sumit reported, if SSSD is fixed as it is planned to, this fix won't be needed. Assigning to Sumit to decide this.

Rename "trusts" component to "Trusts" to achieve correct sorting.

a year ago

Metadata Update from @steeve:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 3.3 - 2013/06

Login to comment on this ticket.

defect

Trusts

1

0

cancel