Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1506686
Description of problem: It looks like we are unable to lookup Active Directory users after an AD Trust is re-established from IPA. Simple id command is where I'm seeing the failure Before re-establishing trust: [root@yttrium ~]# id aduser1@ipaad2012r2.test uid=346213484(aduser1@ipaad2012r2.test) gid=346213484(aduser1@ipaad2012r2.test) groups=346213484(aduser1@ipaad2012r2.test),346201110(adunigroup1@ipaad2012r2.te st),346201108(adgroup1@ipaad2012r2.test),346201109(adgroup2@ipaad2012r2.test),3 46200513(domain users@ipaad2012r2.test) After: [root@yttrium ~]# id aduser1@ipaad2012r2.test id: aduser1@ipaad2012r2.test: no such user Version-Release number of selected component (if applicable): ipa-server-4.5.0-21.el7_4.2.2.x86_64 sssd-1.15.2-50.el7_4.6.x86_64 How reproducible: Unknown. Results in automated tests are varied but a manual reproduction was successful. Steps to Reproduce: 1. Install ipa-server with DNS and setup trust with AD. note: my test env has AD forest with a root and subdomain. and trust defaulted to one-way initially I think. 2. setup external group (not sure this step is actually necessary though but, I did it while trying to reproduce this). ipa group-add --desc=0 bz1049533_external --external ipa group-add --desc=0 bz1049533 ipa group-add-member bz1049533_external --external='adgroup1@ipaad2012r2.test' --users='' --groups='' 3. Restart sssd and reset cache systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 4. Re-establish trust ipa trust-add ipaad2012r2.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True 5. Lookup user id aduser1@ipaad2012r2.test Actual results: [root@yttrium ~]# ipa trust-add ipaad2012r2.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True Active Directory domain administrator's password: ------------------------------------------------- Re-established trust to domain "ipaad2012r2.test" ------------------------------------------------- Realm name: ipaad2012r2.test Domain NetBIOS name: IPAAD2012R2 Domain Security Identifier: S-1-5-21-547465014-1205121312-3291251547 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@yttrium ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@yttrium ~]# id aduser1@ipaad2012r2.test id: aduser1@ipaad2012r2.test: no such user Expected results: I had expected to see the user returned like I did before I re-established the trust. Additional info:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1506686
Metadata Update from @frenaud: - Issue priority set to: important
Metadata Update from @frenaud: - Issue assigned to sbose
https://github.com/freeipa/freeipa/pull/1529
master:
ipa-4-6:
ipa-4-5:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.