Subdomain are not discovered if they are not in the TreeRoot

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3453

• Created at 2017-07-20 17:12:37 by sjeanjean
• Closed at 2017-08-23 22:53:58 as duplicate
• Assigned to nobody

---

Our ActiveDirectory forest is named bc1.com
We have three domains : bc1.com, bouygues-construction.com and bycn.bouygues-construction.com
bycn.bouygues-construction.com is the Child Domain.
SSSD discovers only the domain bc1.com and bouygues-construction.com
# sssctl domain-list
bouygues-construction.com
bc1.com
bouygues.com <---- external domain

OS : Cent OS 7.3
SSSD Version : 1.14.0

sssd.conf :
[sssd]
domains = bouygues-construction.com,
config_file_version = 2
services = nss, pam, ifp

[domain/bouygues-construction.com]
ad_domain = bouygues-construction.com
krb5_realm = BOUYGUES-CONSTRUCTION.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

All the users in the Child domain cannot be used.
The users in the Parent Domain works as expected.
# getent passwd s.jeanjean@bycn.bouygues-construction.com
# su - s.jeanjean@bycn.bouygues-construction.com
su: user s.jeanjean@bycn.bouygues-construction.com does not exist

bc1.com is our legacy domain and don't contains any users.

Comments

---

Comment from jhrozek at 2017-07-20 17:26:14

Please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html and https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html it's otherwise impossible to help you..

---

Comment from sjeanjean at 2017-07-20 17:42:21

And the log with debug_level = 9

---

Comment from jhrozek at 2017-07-20 21:35:44

So apart from the joined domain sssd was able to discover also these domains:
(Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bc1.com is a new one, will create a new sdap domain object
(Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bouygues.com is a new one, will create a new sdap domain object

But not bycn.bouygues-construction.com ..

It might be bug (which I can't find now..) where we fail to find 'subsubdomains'. What is the relationship of the domains in your forest?

---

Comment from sjeanjean at 2017-07-21 09:18:45

bc1.com has an External Trust with bouygues.com and a TreeRoot trust with bouygues-construction.com
bouygues-construction.com has a TreeRoot trust with bc1.com, an External trust with bouygues.com and a Child trust with bycn.bouygues-construction.com
bycn.bouygues-construction.com has a External trust with bouygues.com and a Parent trust with bouygues-construction.com

In the log, I see that the request to discovers the subdomain is :
ldapsearch -x -LLL -E pr=200/noprompt -h bc1ssys206.bc1.com -p 389 -b "dc=bc1,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name
name: bouygues-construction.com
name: bouygues.com
If I do the same request on the bouygues-construction.com domain instead of bc1.com, I got the correct result :
ldapsearch -x -LLL -E pr=200/noprompt -h bcnvsys001.bouygues-construction.com -p 389 -b "dc=bouygues-construction,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name
name: bycn.bouygues-construction.com
name: bouygues.com
name: bc1.com

---

Comment from jhrozek at 2017-08-17 11:52:43

First, I'm sorry this ticket has stalled for such a long time.

Nonetheless, I think SSSD currently doesn't support your use-case. After your description, I think your setup is a variant of what is already described in https://pagure.io/SSSD/sssd/issue/2763.

Sorry about that. I think just defining a separate [domain] section for bycn.bouygues-construction.com should work, even with the same keytab since the domains trust each other.

---

Comment from jhrozek at 2017-08-17 11:53:11

So if you agree, I would prefer to close this ticket as a duplicate of issue #2763.

---

Comment from jhrozek at 2017-08-23 22:54:03

Metadata Update from @jhrozek:

• Issue close_status updated to: duplicate
• Issue status updated to: Closed (was: Open)

---

Comment from sjeanjean at 2017-10-02 15:40:29

The proposed workaround doesn't works.
The ad backend for bycn.bouygues-construction.com cannot connect to the ActiveDirectory
The problem seems to be in [find_principal_in_keytab]. The code is looking for a principal matching TESTVM$@BYCN.BOUYGUES-CONSTRUCTION.COM which doesn't exist. The principal is TESTVM$@BOUYGUES-CONSTRUCTION.COM
The secondary backend is not connected and so doesn't works.
I think also that this workaround will get some problems when the two backend will try to renew the same machine account password.

---

Comment from sjeanjean at 2017-10-02 15:43:05

I have an other question : When sssd discovers domains, how deep it follow the trust relationship ?
If we have a child of child (tree level), is it working ?

---

Comment from jhrozek at 2017-10-02 15:56:40

No, currently multiple subdomain levels are not supported either.