Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1049533
Description of problem: Issue with SSSD group membership lookup Version-Release number of selected component (if applicable): [root@dhcp207-43 ~]# rpm -q sssd sssd-1.11.2-19.el7.x86_64 [root@dhcp207-43 ~]# rpm -q ipa-server ipa-server-3.3.3-8.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup AD trust 2. Add users in AD 3. Add posix group ad_users 4. Add external group ad_users_ext 5. Add ad_users_ext to ad_users group 6. Add aduser1 user to ad_user_ext group 7. Check id aduser1@domain.com for ad user group memberships on IPA Actual results: [root@dhcp207-43 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@dhcp207-43 ~]# getent passwd aduser1@adtest.qe aduser1@adtest.qe:*:1148401313:1148401313:ads user:/: [root@dhcp207-43 ~]# ipa group-show ad_users Group name: ad_users Description: ad_users local group GID: 1741800004 Member groups: ad_users_ext Member of HBAC rule: testrule [root@dhcp207-43 ~]# ipa group-show ad_users_ext Group name: ad_users_ext Description: ad_users external map Member of groups: ad_users Indirect Member of HBAC rule: testrule External member: S-1-5-21-1910160501-511572375-3625658879-1313 [root@dhcp207-43 ~]# wbinfo -n 'ADTEST\aduser1' S-1-5-21-1910160501-511572375-3625658879-1313 SID_USER (1) [root@dhcp207-43 ~]# id 'ADTEST\aduser1' uid=1148401313(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe) groups=1148401313(aduser1@adtest.qe),1148400513(domain users@adtest.qe) [root@dhcp207-43 ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all <sourcehostcategory>: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE Rule name: testrule Description: test Enabled: TRUE User Groups: ad_users Hosts: dhcp207-43.testrelm.com Services: sshd ---------------------------- Number of entries returned 2 ---------------------------- [root@dhcp207-43 ~]# ipa hbactest --user 'aduser1@adtest.qe' --host `hostname` --service sshd -------------------- Access granted: True -------------------- Matched rules: allow_all Not matched rules: testrule
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => sbose patch: 0 => 1 review: True => 0 selected: => testsupdated: => 0
milestone: NEEDS_TRIAGE => SSSD 1.11.4 resolution: => fixed status: new => closed
changelog: => A bugfix for IPA server mode.
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.11.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3232
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.