Upstream ticket:
https://fedorahosted.org/sssd/ticket/2436

Discussed at 2014-09-10 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-09-10/f21-blocker-review.2014-09-10-16.07.log.txt . We agreed to punt on this one for now, as we need to see how sensitive the fix is, and it'd also be good to have a more solid idea of the practical consequences of the bug (I was too busy working out the cause to take time to find out what it could actually break).

New testing indicates this is actually a regression in https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-1.fc21 so far as F21 is concerned, so does not need FE status as that update is in u-t.

Please note that we need 1.12.1+fix for this bug in F21 beta to allow proper functioning of FreeIPA clients against FreeIPA 4.0.3 server. The fixes in SSSD 1.12.1 are important for AD trust integration (cross-domain group members support) and operation against FreeIPA LDAP server with tightened ACIs (default in FreeIPA 4.0).

Proposed as a Blocker for 21-alpha by Fedora user sgallagh using the blocker tracking app because:

 "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain."

According to the most recent comment on that BZ: "Please note that we need 1.12.1+fix for this bug in F21 beta to allow proper functioning of FreeIPA clients against FreeIPA 4.0.3 server. The fixes in SSSD 1.12.1 are important for AD trust integration (cross-domain group members support) and operation against FreeIPA LDAP server with tightened ACIs (default in FreeIPA 4.0)."

I misunderstood the issue. It has been explained to me thusly:

(03:32:37 PM) ab: 1. SSSD < 1.12.1 will not work against trusted AD forests where there are users are members of groups from different domains. This is fixed in 1.12.1 but will not prevent pure Linux environment.
(03:33:23 PM) ab: 2. SSSD 1.12.1 fails against FreeIPA <= 4.0.2 as per 1139962


1.12.0 is currently in the stable repositories (for Alpha). This means it will have a bug in limited cases when in AD trust, but this is not a blocker. However, the updates-testing version 1.12.1 has a bug that must be fixed before we ship Beta. Updating the Blocker status accordingly.

The patch has been acked on the sssd-devel list. We've been running the Red Hat QE test suite on packages that include the fix to make sure we didn't regress again -- however, the RH internal test bed (beaker) wasn't too stable on Thu and Fri. So we reverted to running the tests semi-manually on a reserved test machines, which takes time.

I plan on pushing the patch on Monday at the latest.

    master:
        6f91c61426c8cfbfec52d5e77ae4650007694e69
        7ba70236daccb48432350147d0560b3302518cee 
    sssd-1-11:
        cfa74fcb5f6ba23f41a9ddaa76c3ebae6156da86
        9e99c000a4e2647328e71b4db272b4b73a7189c5

sssd-1.12.1-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-2.fc21

Package sssd-1.12.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.12.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-2.fc21
then log in and leave karma (feedback).

sssd-1.12.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.