#2190 Group membership lookup issue
Closed: Fixed None Opened 10 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1049533

Description of problem:
Issue with SSSD group membership lookup

Version-Release number of selected component (if applicable):
[root@dhcp207-43 ~]# rpm -q sssd
sssd-1.11.2-19.el7.x86_64
[root@dhcp207-43 ~]# rpm -q ipa-server
ipa-server-3.3.3-8.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup AD trust
2. Add users in AD
3. Add posix group ad_users
4. Add external group ad_users_ext
5. Add ad_users_ext to ad_users group
6. Add aduser1 user to ad_user_ext group
7. Check id aduser1@domain.com for ad user group memberships on IPA

Actual results:
[root@dhcp207-43 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-43 ~]# getent passwd aduser1@adtest.qe
aduser1@adtest.qe:*:1148401313:1148401313:ads user:/:

[root@dhcp207-43 ~]# ipa group-show ad_users
  Group name: ad_users
  Description: ad_users local group
  GID: 1741800004
  Member groups: ad_users_ext
  Member of HBAC rule: testrule

[root@dhcp207-43 ~]# ipa group-show ad_users_ext
  Group name: ad_users_ext
  Description: ad_users external map
  Member of groups: ad_users
  Indirect Member of HBAC rule: testrule
  External member: S-1-5-21-1910160501-511572375-3625658879-1313

[root@dhcp207-43 ~]# wbinfo -n 'ADTEST\aduser1'
S-1-5-21-1910160501-511572375-3625658879-1313 SID_USER (1)

[root@dhcp207-43 ~]# id 'ADTEST\aduser1'
uid=1148401313(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe)
groups=1148401313(aduser1@adtest.qe),1148400513(domain users@adtest.qe)

[root@dhcp207-43 ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  <sourcehostcategory>: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE

  Rule name: testrule
  Description: test
  Enabled: TRUE
  User Groups: ad_users
  Hosts: dhcp207-43.testrelm.com
  Services: sshd
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp207-43 ~]# ipa hbactest --user 'aduser1@adtest.qe' --host `hostname`
--service sshd
--------------------
Access granted: True
--------------------
  Matched rules: allow_all
  Not matched rules: testrule

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
patch: 0 => 1
review: True => 0
selected: =>
testsupdated: => 0

milestone: NEEDS_TRIAGE => SSSD 1.11.4
resolution: => fixed
status: new => closed

Fields changed

changelog: => A bugfix for IPA server mode.

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.11.4

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3232

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata