Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 988520
Description of problem: On an IPA client in a env with AD Trust, I'm cannot lookup users with posix attrs set. I tried with getent and just ssh'ing to the IPA client. Neither case worked. If I delete the trust from IPA server and recreate it with "--range-type ipa-ad-trust" (no posix support), I am able to lookup and ssh with Administrator@adtest.qe which does not have posix attrs set. After some troubleshooting with dev, it was found that sssd db has the GID set to 0 for the posix user: [root@client alllog1]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb name=posixuser1@adtest.qe asq: Unable to register control with rootdse! # record 1 dn: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb createTimestamp: 1374775689 gidNumber: 0 homeDirectory: /home/adtest.qe/posixuser1 name: posixuser1@adtest.qe objectClass: user uidNumber: 10001 nameAlias: posixuser1@adtest.qe userPrincipalName: posixuser1@ADTEST.QE objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300 lastUpdate: 1374775689 dataExpireTimestamp: 1374811689 distinguishedName: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb Above I can see gidNumber=0. This is incorrect. uidNumber though is correct, that is what I set on AD side. Version-Release number of selected component (if applicable): sssd-1.11.0-0.1.beta2.fc19.x86_64 How reproducible: always Steps to Reproduce: * This was from following FreeIPA test day: https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attribu tes_in_AD_and_support_for_old_clients#Test_Results 0. Have AD server setup with Identity Management for Unix enabled and user with posix attrs set. 1. Install IPA Master 2. Install IPA Client On Master: 3. ipa-adtrust-install 4. ipa dnszone-add adtest.qe --name-server=adserver.adtest.qe \ --admin-email='hostmaster@adtest.qe' --force --forwarder=<ADserver_IP> \ --forward-policy=only --ip-address=<ADserver_IP> 5. systemctl restart named.service On AD Server: 6. Setup DNS Conditional Forwarder to IPA server/domain Server Manager -> Tools -> DNS -> Conditional Forwarder - right click new conditional forwarder - enter ipa.spoore.test - enter <IPAserver_IP> - select option to store in AD 7. Add Posix User/group: Server Manager -> Tools -> AD Users and Computers - right click users -> new group - right click on the new group -> properties -> Unix Attr tab -- Select NIS Domain and set GID - right click users -> new user - right click on new user -> properties -> Unix Attr tab -- select NIS Domain and set UID (diff from GID above) On IPA Master: 8. echo Secret123 | \ ipa trust-add --type=ad adtest.qe --admin Administrator --password On IPA Client: 9. restart sssd to be safe: systemctl stop sssd rm -rf /var/lib/sss/db/* rm -rf /var/lib/sss/mc/* systemctl start sssd 10. getent passwd posixuser1@adtest.qe 11. yum -y install ldb-tools 12. ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user Actual results: 10. fails to find user. 12. returns: [root@client sssd]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user asq: Unable to register control with rootdse! # record 1 dn: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb createTimestamp: 1374775689 gidNumber: 0 homeDirectory: /home/adtest.qe/posixuser1 name: posixuser1@adtest.qe objectClass: user uidNumber: 10001 nameAlias: posixuser1@adtest.qe userPrincipalName: posixuser1@ADTEST.QE objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300 lastUpdate: 1374775689 dataExpireTimestamp: 1374811689 distinguishedName: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb # returned 1 records # 1 entries # 0 referrals Expected results: giNumber should not be 0...and lookup should return passwd info. Additional info:
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => jhrozek review: True => 0 selected: => status: new => assigned testsupdated: => 0
patch: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.11 beta 3 resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.11.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3074
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.