View Issue Details

IDProjectCategoryView StatusLast Update
0014867CentOS-7sssdpublic2018-05-25 22:21
Reportersaad.rahim 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0014867: SSSD AD gid incorrect for other domain in computer joined to ad in multi domain single forest environment
DescriptionOur company has a single AD forest with one main domain, Acceleware.local, and one subdomain, axe.acceleware.com. A server joined to the main domain with sssd will enumate the correct user gid for users belonging to the main domain and but incorrect users for the subdomain. A server joined to the subdomain will enumerate the correct gid for users in its subdomain. A server joined to the subdomain will enumerate the incorrect gid for users in the primary domain. Those users gid is equal to the uid. Groups enumeration is correct for only users in the domain that the computer is joined to.
Steps To ReproduceCreate AD Primary Domain with IDMU schema extensions (not used but cannot be deleted, reverted anymore)
Create AD Subdomain in the same forest without IDMU schema extensions.
Create one test user on each domains


join server to primary domain with

On computer on primary domain run:
 realm join primarydomain -U admin
id user.primary.domain
uid=560209639(cong.pham@Acceleware.local) gid=560200513(domain users@Acceleware.local) groups=560200513(domain users@Acceleware.local),560204648(axutilitybeltdev@Acceleware.local),560206168(axhydradev@Acceleware.local),560204646(axfdtd@Acceleware.local),560204623(axwiki@Acceleware.local),560204630(axseismic@Acceleware.local)
id user.secondary.domain
uid=1515801133(adminsam@axe.acceleware.com) gid=1515801133(adminsam@axe.acceleware.com) groups=1515801133(adminsam@axe.acceleware.com),1515800513(domain users@axe.acceleware.com),1515800512(domain admins@axe.acceleware.com)

gid and uid are the same for the user on the secondary domain. gid and uid are expected for user on the primary domain (the domain the server is joined to)

join server to secondary domain
realm join secondarydomain -U admin
id user.primary.domain
uid=560209639(cong.pham@Acceleware.local) gid=560209639(cong.pham@Acceleware.local) groups=560209639(cong.pham@Acceleware.local),560204648(axutilitybeltdev@Acceleware.local),560206168(axhydradev@Acceleware.local),560204646(axfdtd@Acceleware.local),560204623(axwiki@Acceleware.local),560200513(domain users@Acceleware.local),560204630(axseismic@Acceleware.local)
id user.secondary.domain
uid=1515801133(adminsam@axe.acceleware.com) gid=1515800513(domain users@axe.acceleware.com) groups=1515800513(domain users@axe.acceleware.com),1515800572(denied rodc password replication group@axe.acceleware.com),1515800512(domain admins@axe.acceleware.com)

gid and uid are correct for the user on the secondary domain ( the domain this server is joined to). gid and uid match for the user on the primary domain.
Additional Informationsssd-common-pac-1.16.0-19.el7.x86_64
sssd-krb5-1.16.0-19.el7.x86_64
sssd-common-1.16.0-19.el7.x86_64
sssd-ad-1.16.0-19.el7.x86_64
sssd-1.16.0-19.el7.x86_64
sssd-ipa-1.16.0-19.el7.x86_64
sssd-proxy-1.16.0-19.el7.x86_64
python-sssdconfig-1.16.0-19.el7.noarch
sssd-ldap-1.16.0-19.el7.x86_64
sssd-krb5-common-1.16.0-19.el7.x86_64
sssd-client-1.16.0-19.el7.x86_64
realmd-0.16.1-9.el7.x86_64

samba-libs-4.7.1-6.el7.x86_64
samba-common-libs-4.7.1-6.el7.x86_64
samba-common-4.7.1-6.el7.noarch
samba-client-libs-4.7.1-6.el7.x86_64
samba-common-tools-4.7.1-6.el7.x86_64
TagsNo tags attached.
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2018-05-25 22:21 saad.rahim New Issue