Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1441545 - With multiple subdomain sections id command output for user is not displayed for both domains
Summary: With multiple subdomain sections id command output for user is not displayed ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Sudhir Menon
URL:
Whiteboard:
Depends On: 1435662
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-12 08:23 UTC by Sudhir Menon
Modified: 2020-05-04 11:01 UTC (History)
16 users (show)

Fixed In Version: sssd-1.15.2-31.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1435662
Environment:
Last Closed: 2017-08-01 09:04:18 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4381 0 None None None 2020-05-04 11:01:11 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Comment 2 Sudhir Menon 2017-04-12 08:29:04 UTC
[root@master sssd]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust type: Active Directory domain
  UPN suffixes: pune.in
----------------------------
Number of entries returned 1
----------------------------

[root@master sssd]# id test1
uid=1261601512(test1) gid=1261601512(test1) groups=1261601512(test1),1261601621(group3),1261600513(domain users)

[root@master sssd]# id aduser1.qe
id: aduser1.qe: no such user

(Wed Apr 12 03:31:43 2017) [sssd[be[testrelm.test]]] [generic_ext_search_handler] (0x4000):     Ref: ldap://DomainDnsZones.chd.pne.qe/DC=DomainDnsZones,DC=chd,DC=pne,DC=qe
(Wed Apr 12 03:31:43 2017) [sssd[be[testrelm.test]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.  <====
(Wed Apr 12 03:31:43 2017) [sssd[be[testrelm.test]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users  <===

Comment 3 Sudhir Menon 2017-04-12 08:32:55 UTC
Tested on RHEL7.4 with 
ipa-server-4.5.0-5.el7.x86_64
sssd-1.15.2-12.el7.x86_64

Comment 11 Lukas Slebodnik 2017-05-02 11:12:29 UTC
master:
* 4c49edbd8df651b1737c59459637962c117212c6

Comment 13 Sudhir Menon 2017-05-03 10:48:49 UTC
Tested using sssd-1.15.2-21.el7.x86_64

Found that ldap_user_search_base is not set for sssd even after having them in the sssd.conf

[domain/testqe.test/pne.qe]
debug_level = 9
ad_server = win1.pne.qe
ldap_search_base = dc=pne,dc=qe
ldap_user_search_base = ou=marketing,dc=pne,dc=qe

[domain/testqe.test/ptb.qe]
debug_level = 9
ad_server = apache.ptb.qe
ldap_search_base = dc=ptb,dc=qe
ldap_user_search_base = ou=sales,dc=ptb,dc=qe

(Wed May  3 06:26:50 2017) [sssd[be[testrelm.test]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value

Comment 14 Jakub Hrozek 2017-05-22 08:01:03 UTC
Could you please retest this build with the latest build (sssd-1.15.2-31.el7) ?

Comment 15 Sudhir Menon 2017-05-22 18:02:43 UTC
Jakub,

I did verify using sssd-1.15.2-31.el7.x86_64 and the fix is seen.

sssd-common-pac-1.15.2-31.el7.x86_64
sssd-dbus-1.15.2-31.el7.x86_64
sssd-proxy-1.15.2-31.el7.x86_64
sssd-client-1.15.2-31.el7.x86_64
sssd-common-1.15.2-31.el7.x86_64
sssd-ad-1.15.2-31.el7.x86_64
sssd-1.15.2-31.el7.x86_64
python-sssdconfig-1.15.2-31.el7.noarch
sssd-krb5-common-1.15.2-31.el7.x86_64
sssd-ldap-1.15.2-31.el7.x86_64
sssd-krb5-1.15.2-31.el7.x86_64
sssd-ipa-1.15.2-31.el7.x86_64
ipa-server-4.5.0-13.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
selinux-policy-3.13.1-151.el7.noarch


[root@master sssd]# ipa trust-find
----------------
2 trusts matched
----------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust type: Active Directory domain
  UPN suffixes: test.qa, 

  Realm name: win2k16.test
  Domain NetBIOS name: WIN2K16
  Domain Security Identifier: S-1-5-21-1240829736-1212639629-1557025649
  Trust type: Active Directory domain
  UPN suffixes: abc.test
----------------------------
Number of entries returned 2
----------------------------

[domain/testqe.test/pne.qe]
debug_level = 9
ad_server = win1.pne.qe
ldap_search_base = dc=pne,dc=qe
ldap_user_search_base = ou=marketing,dc=pne,dc=qe

[domain/testqe.test/win2k16.test]
debug_level = 9
ad_server = win9.win2k16.test
ldap_search_base = dc=win2k16,dc=test
ldap_user_search_base = ou=sales,dc=win2k16,dc=test

[root@master sssd]# id test21
uid=1261601541(test21) gid=1261601541(test21) groups=1261601541(test21),1261600513(domain users)

[root@master sssd]# id test1
uid=1559401119(test1) gid=1559401119(test1) groups=1559401119(test1),1559400513(domain users

Comment 16 Jakub Hrozek 2017-05-23 06:58:06 UTC
Thank you for testing, in that case the fixes for https://bugzilla.redhat.com/show_bug.cgi?id=1446535 did help in this case, too.

I will attach the builds to the errata during today.

Comment 18 Sudhir Menon 2017-05-24 09:30:13 UTC
Marking the bug as VERIFIED

sssd-1.15.2-31.el7.x86_64
ipa-server-4.5.0-13.el7.x86_64
sssd-1.15.2-31.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
pki-server-10.4.1-4.el7.noarch
selinux-policy-3.13.1-151.el7.noarch

Comment 19 errata-xmlrpc 2017-08-01 09:04:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294


Note You need to log in before you can comment on or make changes to this bug.