You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 988520
Description of problem:
On an IPA client in a env with AD Trust, I'm cannot lookup users with posix
attrs set. I tried with getent and just ssh'ing to the IPA client. Neither
case worked.
If I delete the trust from IPA server and recreate it with "--range-type
ipa-ad-trust" (no posix support), I am able to lookup and ssh with
Administrator@adtest.qe which does not have posix attrs set.
After some troubleshooting with dev, it was found that sssd db has the GID set
to 0 for the posix user:
[root@client alllog1]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb
name=posixuser1@adtest.qe
asq: Unable to register control with rootdse!
# record 1
dn: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb
createTimestamp: 1374775689
gidNumber: 0
homeDirectory: /home/adtest.qe/posixuser1
name: posixuser1@adtest.qe
objectClass: user
uidNumber: 10001
nameAlias: posixuser1@adtest.qe
userPrincipalName: posixuser1@ADTEST.QE
objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300
lastUpdate: 1374775689
dataExpireTimestamp: 1374811689
distinguishedName: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb
Above I can see gidNumber=0. This is incorrect. uidNumber though is correct,
that is what I set on AD side.
Version-Release number of selected component (if applicable):
sssd-1.11.0-0.1.beta2.fc19.x86_64
How reproducible:
always
Steps to Reproduce:
* This was from following FreeIPA test day:
https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attribu
tes_in_AD_and_support_for_old_clients#Test_Results
0. Have AD server setup with Identity Management for Unix enabled and user
with posix attrs set.
1. Install IPA Master
2. Install IPA Client
On Master:
3. ipa-adtrust-install
4. ipa dnszone-add adtest.qe --name-server=adserver.adtest.qe \
--admin-email='hostmaster@adtest.qe' --force --forwarder=<ADserver_IP> \
--forward-policy=only --ip-address=<ADserver_IP>
5. systemctl restart named.service
On AD Server:
6. Setup DNS Conditional Forwarder to IPA server/domain
Server Manager -> Tools -> DNS -> Conditional Forwarder
- right click new conditional forwarder
- enter ipa.spoore.test
- enter <IPAserver_IP>
- select option to store in AD
7. Add Posix User/group:
Server Manager -> Tools -> AD Users and Computers
- right click users -> new group
- right click on the new group -> properties -> Unix Attr tab
-- Select NIS Domain and set GID
- right click users -> new user
- right click on new user -> properties -> Unix Attr tab
-- select NIS Domain and set UID (diff from GID above)
On IPA Master:
8. echo Secret123 | \
ipa trust-add --type=ad adtest.qe --admin Administrator --password
On IPA Client:
9. restart sssd to be safe:
systemctl stop sssd
rm -rf /var/lib/sss/db/*
rm -rf /var/lib/sss/mc/*
systemctl start sssd
10. getent passwd posixuser1@adtest.qe
11. yum -y install ldb-tools
12. ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user
Actual results:
10. fails to find user.
12. returns:
[root@client sssd]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb
objectclass=user
asq: Unable to register control with rootdse!
# record 1
dn: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb
createTimestamp: 1374775689
gidNumber: 0
homeDirectory: /home/adtest.qe/posixuser1
name: posixuser1@adtest.qe
objectClass: user
uidNumber: 10001
nameAlias: posixuser1@adtest.qe
userPrincipalName: posixuser1@ADTEST.QE
objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300
lastUpdate: 1374775689
dataExpireTimestamp: 1374811689
distinguishedName: name=posixuser1@adtest.qe,cn=users,cn=adtest.qe,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals
Expected results:
giNumber should not be 0...and lookup should return passwd info.
Additional info:
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2032
Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 988520
Comments
Comment from jhrozek at 2013-07-25 21:07:11
Fields changed
blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => jhrozek
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0
Comment from jhrozek at 2013-07-26 15:27:23
Fields changed
patch: 0 => 1
Comment from jhrozek at 2013-07-29 12:56:20
milestone: NEEDS_TRIAGE => SSSD 1.11 beta 3
resolution: => fixed
status: assigned => closed
Comment from jhrozek at 2017-02-24 14:49:42
Metadata Update from @jhrozek:
The text was updated successfully, but these errors were encountered: