Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sssd is skipping GPO evaluation with auto_private_groups #7451

Closed
sumit-bose opened this issue Jun 20, 2024 · 2 comments
Closed

sssd is skipping GPO evaluation with auto_private_groups #7451

sumit-bose opened this issue Jun 20, 2024 · 2 comments
Assignees
@sumit-bose
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sumit-bose
Copy link
Contributor

This issue is cloned from https://issues.redhat.com/browse/RHEL-41047

What were you trying to do that didn't work?
* AD login is not working due to GPO on RHEL 8.10 with `sssd-2.9.4-3.el8_10.x86_64`
* With `sssd-2.9.4-3.el8_10.x86_64` sssd is not reaching out to GPO evaluation when auto_private_groups is enabled

Please provide the package NVR for which bug is seen:
sssd-2.9.4-3.el8_10.x86_64
How reproducible:
Steps to reproduce
# Update the system to RHEL 8.9 or 8.10
# Integrated the system with AD
# Set GPO policy on AD
# Set `auto_private_groups = true` in sssd.conf

Additionally it should be mentioned that UIDs and GIDs should be read from AD, i.e. ldap_id_mapping = False
@sumit-bose sumit-bose self-assigned this Jun 20, 2024
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Jun 20, 2024
@sumit-bose
sysdb: do not fail to add non-posix user to MPG domain
91bbfb9 
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.

Resolves: SSSD#7451
@sumit-bose sumit-bose mentioned this issue Jun 20, 2024
Closed
alexey-tikhonov pushed a commit that referenced this issue Jun 21, 2024
@sumit-bose @alexey-tikhonov
sysdb: do not fail to add non-posix user to MPG domain
d234cf5 
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.

Resolves: #7451

Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
(cherry picked from commit 986bb72)
@alexey-tikhonov
Copy link
Member

Pushed PR: #7452

  • master
    • 986bb72 - sysdb: do not fail to add non-posix user to MPG domain
  • sssd-2-9
    • d234cf5 - sysdb: do not fail to add non-posix user to MPG domain

@alexey-tikhonov alexey-tikhonov added the Closed: Fixed Issue was closed as fixed. label Jun 21, 2024
@danlavu danlavu mentioned this issue Sep 16, 2024
Merged
alexey-tikhonov pushed a commit to alexey-tikhonov/sssd that referenced this issue Nov 19, 2024
@sumit-bose @alexey-tikhonov
sysdb: do not fail to add non-posix user to MPG domain
8dd71f1 
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.

Resolves: SSSD#7451

Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
(cherry picked from commit 986bb72)
(cherry picked from commit d234cf5)
alexey-tikhonov pushed a commit that referenced this issue Nov 21, 2024
@sumit-bose @alexey-tikhonov
sysdb: do not fail to add non-posix user to MPG domain
0e86f1a 
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.

Resolves: #7451

Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
(cherry picked from commit 986bb72)
(cherry picked from commit d234cf5)

Reviewed-by: Justin Stephenson <[email protected]>
@alexey-tikhonov
Copy link
Member

Pushed PR: #7706

  • sssd-2-9-4
    • aa81ab0 - DEBUG: reduce log level in case a responder asks for unknown domain
    • acd5da5 - ldap: add 'exop_force' value for ldap_pwmodify_mode
    • 0e86f1a - sysdb: do not fail to add non-posix user to MPG domain
    • 9ff2e55 - ad: use default user_map when looking of host groups for GPO
    • ebbde00 - sdap: allow to provide user_map when looking up group memberships

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sysdb: do not fail to add non-posix user to MPG domain sumit-bose/sssd
2 participants
@sumit-bose @alexey-tikhonov