Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-61619

If a group has members from both AD subtrees/sssd domain connections, only members which are part of the first connection show up, but need to see all members.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-8.10
    • sssd
    • None
    • No
    • Moderate
    • rhel-sst-idm-sssd
    • ssg_idm
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      There are EXP.PSI.CH and D.PSI.CH domain connections present in the /etc/sssd/sssd.conf file, both pointing to the same AD domain "D.PSI.CH"

      Each domain connection uses a different user subtree of the same AD, each needs a separate "override_homedir" setting, that is the actual reason of having two domain connections to the same domain.

      Each domain connection uses the same groups from the same AD. 

      If a group has members from both AD subtrees/sssd domain connections, only members who are part of the first connection show up, but we need to see all members.

      exp.psi.ch domain is not real, it is backed by the same d.psi.ch AD domain, just selecting other users

      What is the impact of this issue to you? 

      Listing the members of group p21996 misses the user dorigo_a.

      Please provide the package NVR for which the bug is seen:

      sssd-2.9.4-4.el8_10.x86_64

      Expected results

      members of group p21996 should see the user dorigo_a.

      Actual results

      [root@lxdev01 ~]# vi /etc/sssd/sssd.conf 
      [root@lxdev01 ~]# systemctl restart sssd
      [root@lxdev01 ~]# sss_cache -E 

      [root@lxdev01 ~]# date ; getent group p21996; date
      Do Aug 29 14:28:45 CEST 2024
      p21996:*:21996:e21996
      Do Aug 29 14:28:45 CEST 2024

      [root@lxdev01 ~]# date ; id dorigo_a; date
      Do Aug 29 14:29:05 CEST 2024
      uid=38476(dorigo_a) gid=840(unx-ait) groups=840(unx-ait),35415(unx-hpc_containers),9998(svc-wireless_corp),35163(unx-photonics_adm),35027(svc-cluster_ra),35503(svc-vpn_strong),35150(svc-wmgt_users),35596(unx-lx_support),9133(unx-puppet_usr),35035(svc-hopsshpsi),35437(unx-gfa_users),35518(unx-gw_saresa),35519(unx-gw_saresb),35520(unx-gw_saresc),35521(unx-gw_satese),35522(unx-gw_satesf),35147(svc-afs_home),35170(unx-daas_adm),35530(unx-gw_x02da),35538(unx-gw_x06da),35539(unx-gw_x06sa),35547(unx-gw_x10sa),35550(unx-gw_xblcn),35597(unx-lx_users),35034(svc-data_ra),35154(unx-hpc_adm),35565(unx-dc_adm),35146(svc-afs),16582(p16582),17502(p17502),18163(p18163),18493(p18493),18539(p18539),19262(p19262),20073(p20073),21244(p21244),21924(p21924),21981(p21981),21996(p21996),35188(SARESB),35184(SARESA)
      Do Aug 29 14:29:10 CEST 2024

      [root@lxdev01 ~]# date ; getent passwd -s sss dorigo_a; date
      Do Aug 29 14:29:30 CEST 2024
      dorigo_a:*:38476:840:Dorigo Alvise:/home/dorigo_a:/bin/bash

      Listing the members of group p21996 misses the user dorigo_a.

       

      Do we have sssd supporting something like the following configuration:

      Match !group unx-lx_experiment_users
          override_homedir = /home/%u

      so we can have different settings for different types of users.

              aboscatt@redhat.com Andre Boscatto
              rhn-support-sjawale Shradha Jawale
              SSSD Maintainers SSSD Maintainers
              SSSD QE SSSD QE
              Louise McGarry Louise McGarry
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: