Learn more about these different git repos.
Other Git URLs
I have the following configuration of active directory forest:
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain) ChildUsers (universal group in ad.pb) contains subaduser@sub.ad.pb (user from child domain)
SSSD is not able to resolve this membership. It probably tries to search subaduser in ad.pb LDAP instead of Global Catalog.
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-3940105347-3434501867-2690409756-1110)(objectclass=group)(name=*))][DC=ad,DC=pb]. (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb]. (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points ref 1: 'sub.ad.pb' (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points ref 1: 'sub.ad.pb' (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_group_single_step_done] (0x0020): Error processing direct membership [5]: Input/output error (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_done] (0x0020): Nested group processing failed: [5][Input/output error] (Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.11.1
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1002597
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1002597 1002597]
owner: somebody => pbrezina status: new => assigned
patch: 0 => 1
The patchset is massive and needs rebasing atop patches for #1970. I'd rather push the review to 1.11.2
milestone: SSSD 1.11.1 => SSSD 1.11.2
Replying to [comment:5 jhrozek]:
Sorry, #2070
resolution: => fixed status: assigned => closed
changelog: => The SSSD is now able to resolve all group members from different Active Directory domains as long as they come from a single forest.
Metadata Update from @pbrezina: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.11.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3106
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.