Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1211830
Description of problem: When in an AD trust, IPA fails to return user information from the extdom call if a external user is a member of an IPA group with the "default_domain_suffix" setting configured in the IPA server's sssd.conf. The user information is complete and accurate when viewed on the IPA server itself, but no information is returned to a client requesting that user, leading to complete identity failure on clients. "default_domain_suffix" is set on the IPA servers, along with all the clients, as a convenience for administrators and users to avoid using their fully-qualified names. Although we can work around this bug by not setting that value, we'd like to not have a unique configuration only on the IPA servers. Version-Release number of selected component (if applicable): ipa-server-4.1.0-18.el7_1.3.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 How reproducible: always Steps to Reproduce: * setup an AD trust with POSIX attributes * create user "test1" * add user to "biggroup" * ensure POSIX attributes are set on both the user and group * on the IPA server, set default_domain_suffix in [sssd] section: grep default_domain_suffix /etc/sssd/sssd.conf ipa group-del ad_biggroup ipa group-del external_biggroup service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start id test1@example.com ipa group-add --desc 'external - biggroup' --external external_biggroup ipa group-add-member --users='' --groups='' --external 'EXAMPLE\biggroup' external_biggroup ipa group-add --desc 'ad - biggroup' ad_biggroup ipa group-add-member --users='' --groups=external_biggroup ad_biggroup service sssd stop rm -f /var/lib/sss/{db,mc}/* rm -f /var/log/sssd/* service sssd start id test1@example.com * on the IPA client: service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start; id test1@example.com Actual results: * on the IPA server without default_domain_suffix on the server: grep default_domain_suffix /etc/sssd/sssd.conf; id test1@example.com #default_domain_suffix = example.com uid=10000(test1@example.com) gid=10000(domain users@example.com) groups=10000(domain users@example.com),730800023(ad_biggroup),10001(biggroup@example.com) * on the IPA server with default_domain_suffix on the server: grep default_domain_suffix /etc/sssd/sssd.conf; id test1@example.com default_domain_suffix = example.com uid=10000(test1@example.com) gid=10000(domain users@example.com) groups=10000(domain users@example.com),730800023(ad_biggroup),10001(biggroup@example.com) * on the IPA client without default_domain_suffix on the server: service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start; id test1@example.com Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service uid=10000(test1@example.com) gid=10000(domain users@example.com) groups=10000(domain users@example.com),730800023(ad_biggroup),10001(biggroup@example.com) * on the IPA client with default_domain_suffix on the server: service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start; id test1@example.com Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service id: test1@example.com: no such user Expected results: * on the IPA server: grep default_domain_suffix /etc/sssd/sssd.conf; id test1@example.com default_domain_suffix = example.com uid=10000(test1@example.com) gid=10000(domain users@example.com) groups=10000(domain users@example.com),730800023(ad_biggroup),10001(biggroup@example.com) * on the IPA client: service sssd stop; rm -f /var/lib/sss/{db,mc}/*; service sssd start; id test1@example.com Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service uid=10000(test1@example.com) gid=10000(domain users@example.com) groups=10000(domain users@example.com),730800023(ad_biggroup),10001(biggroup@example.com) Additional info: I put this bug under ipa because it only seems related to the extdom plugin in IPA. The user information is complete when querying on the IPA server, though the bug is triggered by the sssd setting. So not sure exactly in which component the problem lies. This is only an issue with sssd 1.12+ where the complete group information is returned via the IPA extdom plugin, so technically it is a regression because identity information is not returned and existing IPA environments are broken. Prior to sssd 1.12, where group information was only completed via PAC, RHEL6 and RHEL7 clients had no issue resolving users' identities.
There is a server and a client side for this issue. The server side is already covered by #2569. This ticket will track the client side. If default_domain_suffix is set on the server side and hence fully-qualified names are used for the IPA domain the extdom plugin will return fully-qualified names for IPA objects as well. There are areas in the client code which do not handle this correctly.
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 review: True => 0 selected: => testsupdated: => 0
Fields changed
patch: 0 => 1
owner: somebody => sbose status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.12.5
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.12.5
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3688
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.