Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953944
Description of problem: In an IPA/AD Trust setup, I cannot see the IPA external group for the AD user. This is from this test (with slight differences to work from another test): https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_hbac [root@f19-1 ~]# ipa group-show --all ad_admins dn: cn=ad_admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org Group name: ad_admins Description: ad.example.org admins GID: 1819800007 Member groups: ad_admins_external ipantsecurityidentifier: S-1-5-21-1339028217-3206615778-3561301142-1007 ipauniqueid: 93ff8042-a886-11e2-a644-0000c0a87abf objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup, ipantgroupattrs [root@f19-1 ~]# ipa group-show --all ad_admins_external dn: cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org Group name: ad_admins_external Description: ad.example.org admins external map Member of groups: ad_admins External member: S-1-5-21-3234163150-1739635155-2110790787-512 ipauniqueid: 88f8b95c-a886-11e2-8283-0000c0a87abf objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup [root@f19-1 ~]# wbinfo -s S-1-5-21-3234163150-1739635155-2110790787-512 AD\domain admins 2 [root@f19-1 ~]# wbinfo --group-info "AD\domain admins 2" failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group AD\domain admins 2 [root@f19-1 ~]# wbinfo --group-info "AD\domain admins" AD\domain admins:4294967295:AD\administrator -sh-4.2$ id uid=1717600500(administrator@ad.example.org) gid=1717600500(administrator@ad.example.org) groups=1717600500(administrator@ad.example.org),1717600512(domain admins@ad.example.org),1717600513(domain users@ad.example.org),1717600518(schema admins@ad.example.org),1717600519(enterprise admins@ad.example.org),1717600520(group policy creator owners@ad.example.org) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Version-Release number of selected component (if applicable): sssd-1.10.0-2.fc19.alpha1.x86_64 freeipa-server-3.2.0-0.2.beta1.fc19.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup IPA Server 2. Setup AD Server (2008r2 is what I saw this on) 3. Setup Trust 4. ipa group-add --external ext_ad_administrators --desc "AD.TEST Administrators" 5. ipa group-add-member ext_ad_administrators --external "AD\Domain Admins" 6. ipa group-add ad_administrators 7. ipa group-add-member ad_administrators --group ext_ad_administrators 8. id administrator@ad.example.org Actual results: does not list ad_administrators Expected results: should list ad_administrators Additional info:
Sumit has determined that this is a problem in sssd. The BZ has been re-pointed, closing this ticket.
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.