https://bugzilla.redhat.com/show_bug.cgi?id=874674 (Red Hat Enterprise Linux 7)
Description of problem: From xdong's description in bug #869616: 2> Can use invalid SIDs - and message says member was added.(-1100 is invalid) [root@xdong ~]# ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1100 Group name: bb [member user]: [member group]: Group name: bb Description: bb External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1100 ------------------------- Number of members added 1 ------------------------- Also: [root@rhel6-1 ~]# ipa group-add-member ad_group_external --external S-1-5-21-1246088475-3077293710-2580964704-1701 [member user]: [member group]: Group name: ad_group_external Description: ad.example.com group external External member: S-1-5-21-1246088475-3077293710-2580964704-1135, S-1-5-21-1246088475-3077293710-2580964704-1136, S-1-5-21-1246088475-3077293710-2580964704-1700, S-1-5-21-1246088475-3077293710-2580964704-1701 Member users: admin ------------------------- Number of members added 1 ------------------------- [root@rhel6-1 ~]# wbinfo -s S-1-5-21-1246088475-3077293710-2580964704-1701 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-5-21-1246088475-3077293710-2580964704-1701 Version-Release number of selected component (if applicable): ipa-server-3.0.0-106.20121106T0229zgit881fc3a.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Setup IPA Master with trust to AD domain 2. ipa group-add groupname --desc=desc 3. ipa group-add-member groupname --external <SID that does not exist in AD domain> Actual results: adds SID that can't be resolved from AD domain. Expected results: should reject or at least warn that this is the case? Additional info:
Further discussion showed that we do not validate users by SIDs. This is the RFEs to add validation of the external AD users if they are referred by SID and not by name.
Releasing tickets from distant milestones.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.