Learn more about these different git repos.
Other Git URLs
I have the following configuration of active directory forest:
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)
user: subaduser@sub.ad.pb, memberof: Domain Users@sub.ad.pb, test@sub.ad.pb
When processing user information, tokenGroups contains Domain Users@ad.pb and test@sub.ad.pb. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).
Interestingly, id command returns Domain Users from both domains.
$ id 'SUBADPB\subaduser' uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb)
LDB contains:
'''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb''' createTimestamp: 1377857075 fullName: subaduser gecos: subaduser gidNumber: 1462601111 name: subaduser@sub.ad.pb objectClass: user uidNumber: 1462601111 objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111 origPrimaryGroupGidNumber: 1462600513 originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb originalModifyTimestamp: 20130827115406.0Z entryUSN: 82658 userPrincipalName: subaduser@SUB.AD.PB adUserAccountControl: 66048 nameAlias: subaduser@sub.ad.pb initgrExpireTimestamp: 1377862476 lastUpdate: 1377857076 dataExpireTimestamp: 1377862476 '''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb''' memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb '''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb''' createTimestamp: 1377857076 gidNumber: 1462600513 name: Domain Users@sub.ad.pb objectClass: group '''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513''' originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb originalModifyTimestamp: 20130626132134.0Z entryUSN: 38668 nameAlias: domain users@sub.ad.pb isPosix: TRUE lastUpdate: 1377857076 dataExpireTimestamp: 1377862476 distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb '''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb''' dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb createTimestamp: 1377857076 gidNumber: 1462601112 name: test@sub.ad.pb objectClass: group objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112 originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb originalModifyTimestamp: 20130829103018.0Z entryUSN: 83976 orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb nameAlias: test@sub.ad.pb isPosix: TRUE lastUpdate: 1377857076 dataExpireTimestamp: 1377862476 member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb memberuid: subaduser@sub.ad.pb distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb '''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb''' createTimestamp: 1377857076 gidNumber: 1751600513 name: S-1-5-21-3940105347-3434501867-2690409756-513 objectClass: group lastUpdate: 1377857076 dataExpireTimestamp: 1377857075 isPosix: FALSE objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513 member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb memberuid: subaduser@sub.ad.pb distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb '''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb''' createTimestamp: 1377857076 gidNumber: 1751600513 name: Domain Users objectClass: group '''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513''' originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb originalModifyTimestamp: 20130411080423.0Z entryUSN: 12350 nameAlias: domain users isPosix: TRUE lastUpdate: 1377857076 dataExpireTimestamp: 1377862476 distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb
The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong. However, it is also stored under cn=AD,PB and here is the SID resolved. Domain Users from sub.ad.pb is also present in the sysdb.
Fields changed
description: I have the following configuration of active directory forest:
{{{ ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain) }}}
user: subaduser@''sub.ad.pb'', memberof: Domain Users@'''sub'''.ad.pb, test@''sub.ad.pb''
When processing user information, tokenGroups contains Domain Users@'''ad.pb''' and test@''sub.ad.pb''. For some reason, the Domain Users group is from forest root (ad.pb), instead of child (sub.ad.pb).
{{{ $ id 'SUBADPB\subaduser' uid=1462601111(subaduser@sub.ad.pb) gid=1462601111(subaduser@sub.ad.pb) groups=1462601111(subaduser@sub.ad.pb),1751600513(domain users),1462601112(test@sub.ad.pb),1462600513(domain users@sub.ad.pb) }}}
=> I have the following configuration of active directory forest:
LDB contains: {{{ '''dn: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb''' createTimestamp: 1377857075 fullName: subaduser gecos: subaduser gidNumber: 1462601111 name: subaduser@sub.ad.pb objectClass: user uidNumber: 1462601111 objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1111 origPrimaryGroupGidNumber: 1462600513 originalDN: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb originalMemberOf: CN=test,CN=Users,DC=sub,DC=ad,DC=pb originalModifyTimestamp: 20130827115406.0Z entryUSN: 82658 userPrincipalName: subaduser@SUB.AD.PB adUserAccountControl: 66048 nameAlias: subaduser@sub.ad.pb initgrExpireTimestamp: 1377862476 lastUpdate: 1377857076 dataExpireTimestamp: 1377862476 '''memberof: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb''' memberof: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb distinguishedName: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb
'''dn: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb''' createTimestamp: 1377857076 gidNumber: 1462600513 name: Domain Users@sub.ad.pb objectClass: group '''objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-513''' originalDN: CN=Domain Users,CN=Users,DC=sub,DC=ad,DC=pb originalModifyTimestamp: 20130626132134.0Z entryUSN: 38668 nameAlias: domain users@sub.ad.pb isPosix: TRUE lastUpdate: 1377857076 dataExpireTimestamp: 1377862476 distinguishedName: name=Domain Users@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
'''dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb''' dn: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb createTimestamp: 1377857076 gidNumber: 1462601112 name: test@sub.ad.pb objectClass: group objectSIDString: S-1-5-21-2202501355-1040042079-3472030569-1112 originalDN: CN=test,CN=Users,DC=sub,DC=ad,DC=pb originalModifyTimestamp: 20130829103018.0Z entryUSN: 83976 orig_member: CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb nameAlias: test@sub.ad.pb isPosix: TRUE lastUpdate: 1377857076 dataExpireTimestamp: 1377862476 member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb memberuid: subaduser@sub.ad.pb distinguishedName: name=test@sub.ad.pb,cn=groups,cn=sub.ad.pb,cn=sysdb
'''dn: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb''' createTimestamp: 1377857076 gidNumber: 1751600513 name: S-1-5-21-3940105347-3434501867-2690409756-513 objectClass: group lastUpdate: 1377857076 dataExpireTimestamp: 1377857075 isPosix: FALSE objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513 member: name=subaduser@sub.ad.pb,cn=users,cn=sub.ad.pb,cn=sysdb memberuid: subaduser@sub.ad.pb distinguishedName: name=S-1-5-21-3940105347-3434501867-2690409756-513,cn=groups,cn=sub.ad.pb,cn=sysdb
'''dn: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb''' createTimestamp: 1377857076 gidNumber: 1751600513 name: Domain Users objectClass: group '''objectSIDString: S-1-5-21-3940105347-3434501867-2690409756-513''' originalDN: CN=Domain Users,CN=Users,DC=ad,DC=pb originalModifyTimestamp: 20130411080423.0Z entryUSN: 12350 nameAlias: domain users isPosix: TRUE lastUpdate: 1377857076 dataExpireTimestamp: 1377862476 distinguishedName: name=Domain Users,cn=groups,cn=AD.PB,cn=sysdb }}}
The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong.
The unresolved SID is Domain Users from ad.pb, however it is stored under cn=sub.ad.pb,cn=sysdb, which is wrong. => I have the following configuration of active directory forest:
milestone: NEEDS_TRIAGE => SSSD 1.11.1 rhbz: => 0
owner: somebody => pbrezina status: new => assigned
patch: 0 => 1
resolution: => fixed status: assigned => closed
Metadata Update from @pbrezina: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.11.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3108
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.