Issue #4031: [RFE] Support initgroups for unauthenticated AD users - freeipa

freeipa

#4031 [RFE] Support initgroups for unauthenticated AD users

Closed: Fixed None Opened 10 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1030699

Description of problem:

Running the id command for AD user on an IPA client does not show all of the
group memberships as shown on an IPA server.

MASTER:
[root@nightcrawler ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1@adlabs.com) gid=1436801369(aduser1@adlabs.com)
groups=1436801369(aduser1@adlabs.com),1436800513(domain
users@adlabs.com),1436801883(adgroup1@adlabs.com)

REPLICA:
[root@apollo ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1@adlabs.com) gid=1436801369(aduser1@adlabs.com)
groups=1436801369(aduser1@adlabs.com),1436800513(domain
users@adlabs.com),1436801883(adgroup1@adlabs.com)

CLIENT:
[root@qe-blade-04 ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1@adlabs.com) gid=1436801369(aduser1@adlabs.com)
groups=1436801369(aduser1@adlabs.com)

Version-Release number of selected component (if applicable):


How reproducible:
seen frequently in automated tests.

However, in one instance, after logging into the server, I saw same results as
expected.

Steps to Reproduce:
0.  have access to AD with user aduser
1.  ipa-server-install # on server
2.  ipa-client-install # on client
3.  ipa-adtrust-install # on server
4.  ipa trust-add # on server
5.  id 'AD\aduser' # on both

Actual results:
5. id shows different group lists for server and client.  client is missing
groups.

Expected results:
5. same group list shown on client as on server.


Additional info:

sbose commented 10 years ago

SSSD part of this effort is tracked by https://fedorahosted.org/sssd/ticket/2159 .

mkosek commented 10 years ago

Requires SSSD ticket which was not started yet, moving to further release.

mkosek commented 9 years ago

This will not fit into 4.0 GA, moving to Needs triage to decide (Sumit planned to do both FreeIPA and SSSD parts) what is the right milestone.

sbose commented 9 years ago

This features might be influenced by the user-views depending on which data the server sends back to the client. So I would suggest to do it together with the view or in the release following the views.

mkosek commented 9 years ago

Moving to the same milestone as where views are.

mkosek commented 9 years ago

Sumit submitted a patch 130.

mkosek commented 9 years ago

master:

3c75b91 extdom: add support for new version

ipa-4-1:

2006d87 extdom: add support for new version

Metadata Update from @mkosek:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 4.1

7 years ago

Metadata

Assignee

sbose

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.1

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

Trusts

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1030699

tester

None

changelog

None

design

None

freeipa

Source Code

#4031 [RFE] Support initgroups for unauthenticated AD users Closed: Fixed None Opened 10 years ago by mkosek.

Metadata

#4031 [RFE] Support initgroups for unauthenticated AD users

Closed: Fixed None Opened 10 years ago by mkosek.