Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953944
Description of problem: In an IPA/AD Trust setup, I cannot see the IPA external group for the AD user. This is from this test (with slight differences to work from another test): https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_hbac [root@f19-1 ~]# ipa group-show --all ad_admins dn: cn=ad_admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org Group name: ad_admins Description: ad.example.org admins GID: 1819800007 Member groups: ad_admins_external ipantsecurityidentifier: S-1-5-21-1339028217-3206615778-3561301142-1007 ipauniqueid: 93ff8042-a886-11e2-a644-0000c0a87abf objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup, ipantgroupattrs [root@f19-1 ~]# ipa group-show --all ad_admins_external dn: cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=example,dc=org Group name: ad_admins_external Description: ad.example.org admins external map Member of groups: ad_admins External member: S-1-5-21-3234163150-1739635155-2110790787-512 ipauniqueid: 88f8b95c-a886-11e2-8283-0000c0a87abf objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup [root@f19-1 ~]# wbinfo -s S-1-5-21-3234163150-1739635155-2110790787-512 AD\domain admins 2 [root@f19-1 ~]# wbinfo --group-info "AD\domain admins 2" failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group AD\domain admins 2 [root@f19-1 ~]# wbinfo --group-info "AD\domain admins" AD\domain admins:4294967295:AD\administrator -sh-4.2$ id uid=1717600500(administrator@ad.example.org) gid=1717600500(administrator@ad.example.org) groups=1717600500(administrator@ad.example.org),1717600512(domain admins@ad.example.org),1717600513(domain users@ad.example.org),1717600518(schema admins@ad.example.org),1717600519(enterprise admins@ad.example.org),1717600520(group policy creator owners@ad.example.org) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Version-Release number of selected component (if applicable): sssd-1.10.0-2.fc19.alpha1.x86_64 freeipa-server-3.2.0-0.2.beta1.fc19.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup IPA Server 2. Setup AD Server (2008r2 is what I saw this on) 3. Setup Trust 4. ipa group-add --external ext_ad_administrators --desc "AD.TEST Administrators" 5. ipa group-add-member ext_ad_administrators --external "AD\Domain Admins" 6. ipa group-add ad_administrators 7. ipa group-add-member ad_administrators --group ext_ad_administrators 8. id administrator@ad.example.org Actual results: does not list ad_administrators Expected results: should list ad_administrators Additional info:
Reassigning to Sumit, he already has a candidate fix.
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => sbose review: True => 0 selected: => testsupdated: => 0
Fields changed
patch: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.10 beta
resolution: => fixed status: new => closed
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.10 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2930
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.