Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1372075
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Created attachment 1196496 sssd logs of id command which fails to retrieve domain_local group Description of problem: AD provider: SSSD does not retrieve a domain-local group with the AD provider when following AGGUDLP group structure across domains http://blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-bes t-practices-for-group-strategy/ Add accounts to a Global Group, add the Global Group to a Universal Group, add the Universal Group to a Domain Local Group, apply permissions for the Domain Local Group to a resource. The accounts in the original Domain Local Group will have access to the resource with the permissions levels based on the permissions applied to the Domain Local Group. Version-Release number of selected component (if applicable): sssd-1.13.0-40.el7_2.4.x86_64 How reproducible: 100% reproducible Create sssduser in parent domain TEST.COM Create global_group in parent domain TEST.COM Create universal_group in parent domain TEST.COM Create domain_local group in CHILD.TEST.COM Join SSSD to AD domain CHILD.TEST.COM --> In the parent AD domain sssduser is a member of global_group global_group is a member of universal_group --> In the child domain universal_group is a member of domain_local_group Actual results: # id sssduser uid=489247064(sssduser@jstephen.local) gid=489247064(sssduser@jstephen.local) g roups=489247064(sssduser@jstephen.local),489247065(universal_group@jstephen.loc al),489247063(global_group@jstephen.local),489200513(domain users@jstephen.local),489247023(nestedtestgroup@jstephen.local) The domain-local group is not found, only global_group and universal_group are visible. Querying the group directly with getent group allows the id command to find the group properly until the SSSD cache is reset/invalidated # getent group domain_local@adcorp.jstephen.local domain_local@ADCORP.jstephen.local:*:481401122:sssduser@jstephen.local # id sssduser@jstephen.local uid=489247064(sssduser@jstephen.local) gid=489247064(sssduser@jstephen.local) g roups=489247064(sssduser@jstephen.local),489247063(global_group@jstephen.local) ,489247065(universal_group@jstephen.local),481401122(domain_local@ADCORP.jsteph en.local) Expected results: domain_local group should be visible in 'id' command output without having to run getent group first Additional info: Testing using combinations of the following options does not fix this issue ad_enable_gc = false ldap_use_tokengroups = false ad_server = The objectSID of domain_local is S-1-5-21-2058409190-3331408712-3548322839-1122
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => sbose priority: major => critical review: True => 0 selected: => testsupdated: => 0
milestone: NEEDS_TRIAGE => SSSD 1.14.2
patch: 0 => 1 status: new => assigned
Moving tickets that didn't make it into the 1.14.2 release into the next point release.
milestone: SSSD 1.14.2 => SSSD 1.14.3
- master: - 2569984 - 49d3f0a - 3dd4c3e - sssd-1-14: - c1f3b29 - f38c62f - 9a243dc
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.14.3
See also related bugfix https://pagure.io/SSSD/sssd/issue/3331
Metadata Update from @lslebodn: - Custom field design_review reset (from 0) - Custom field mark reset (from 0) - Custom field patch adjusted to on (was: 1) - Custom field review reset (from 0) - Custom field sensitive reset (from 0) - Custom field testsupdated reset (from 0)
Backport for sssd-1-13 https://github.com/SSSD/sssd/pull/399
Metadata Update from @sbose: - Custom field design_review reset (from false) - Custom field mark reset (from false) - Custom field review reset (from false) - Custom field sensitive reset (from false) - Custom field testsupdated reset (from false)
sssd-1-13:
Metadata Update from @lslebodn: - Custom field design_review reset (from false) - Custom field mark reset (from false) - Custom field review reset (from false) - Custom field sensitive reset (from false) - Custom field testsupdated reset (from false)
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1372075, https://bugzilla.redhat.com/show_bug.cgi?id=1489485 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1372075)
Issue linked to Bugzilla: Bug 1489485
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4239
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.