PowerScale - Users from external trusts are unable to authenticate to cluster when RFC2307 is enabled.

An active directory authentication provider is added to the cluster and RFC2307 is enabled.

Users from one-way external trusts learned through this provider are unable to authenticate to the cluster.

Trying to list or view users in this domain also fails.

To confirm this issue is present, check for the following.

1. Active directory authentication provider has RFC2307 enabled:
 

prod-2# isi auth ads list -v
                     Name: DOMAIN.COM
          Machine Account: PROD$
           Authentication: Yes
                 Groupnet: groupnet0

                   Status: online
           Primary Domain: DOMAIN.COM
                   Forest: domain.com
                     Site: Default-First-Site-Name
           NetBIOS Domain: DOMAIN
                 Hostname: prod.domain.com
          Controller Time: 2023-06-16T10:14:06
         Node DC Affinity: -
 Node DC Affinity Timeout: -

          NSS Enumeration: No
              SFU Support: rfc2307
       Store SFU Mappings: No

        Ignore All Trusts: No
  Ignored Trusted Domains: -
  Include Trusted Domains: -
      Extra Expected SPNs: -
    Domain Offline Alerts: No
       LDAP Sign And Seal: No

             Lookup Users: Yes
   Lookup Normalize Users: Yes
            Allocate UIDs: Yes
  Lookup Normalize Groups: Yes
            Allocate GIDs: Yes
           Lookup Domains: -
            Lookup Groups: Yes

    Assume Default Domain: No
    Check Online Interval: 5m
 Machine Password Changes: Yes
Machine Password Lifespan: 4W2D
    Create Home Directory: No
  Home Directory Template: /ifs/home/%D/%U
        Unfindable Groups: -
         Unfindable Users: -
          Findable Groups: -
           Findable Users: -
        Restrict Findable: No
         RPC Call Timeout: 1m
       Server Retry Limit: 5
              Login Shell: /bin/zsh
             Creator Zone: System

2. The trust from which the affected users are coming from must be seen to be external from the cluster perspective. This for both a one-way, and a two-way trust
 

One Way external:

        [Domain: DEV]

                DNS Domain:       dev.com
                Netbios name:     dev
                Forest name:
                Trustee DNS name: DOMAIN.COM
                Client site name:
                Domain SID:       S-1-5-21-586728154-3739561872-3933139605
                Domain GUID:      00000000-0000-0000-0000-000000000000
                Trust Flags:      [0x0002]
                                  [0x0002 - Outbound]
                Trust type:       Up Level
                Trust Attributes: [0x0004]
                                  [0x0004 - Filter SIDs]
                Trust Direction:  Oneway Trust
                Trust Mode:       External Trust (ET)
                Domain flags:     [0x0000]

Two-way external:

        [Domain: DEV]

                DNS Domain:       dev.com
                Netbios name:     dev
                Forest name:
                Trustee DNS name: DOMAIN.COM
                Client site name:
                Domain SID:       S-1-5-21-586728154-3739561872-3933139605
                Domain GUID:      00000000-0000-0000-0000-000000000000
                Trust Flags:      [0x0022]
                                  [0x0002 - Outbound]
                                  [0x0020 - Inbound]
                Trust type:       Up Level
                Trust Attributes: [0x0004]
                                  [0x0004 - Filter SIDs]
                Trust Direction:  Twoway Trust
                Trust Mode:       External Trust (ET)
                Domain flags:     [0x0000]

3. The affected domain is "marked as skip" in /var/log/lsassd.log under the debug verbosity when doing a user lookup:
 

2023-06-16T10:15:25.878038+00:00 <30.7> prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:File_FindUserObjectByName():lsass/server/auth-providers/file-provider/fpuser.c:224: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878347+00:00 <30.7> prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaIsi_FindDomainByName():lsass/server/api/isiutil.c:4816: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878452+00:00 <30.7> prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:AD_FindObjects():lsass/server/auth-providers/ad-open-provider/provider-main.c:6453: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878521+00:00 <30.7> prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaSrvIsLocalDomain():lsass/server/api/provider.c:243: Error code: 40017 (symbol: LW_ERROR_NOT_HANDLED)
2023-06-16T10:15:25.878581+00:00 <30.7> prod-2(id2) lsass[2798]: [lsass] DEBUG:0x803c3f810:LsaAdBatchCreateDomainEntry():lsass/server/auth-providers/ad-open-provider/batch.c:398: Trusted domain dev.com' is marked skip

When RFC2307 is enabled, the following is necessary.

On the provider through which the trust is learned the cluster needs to have access to the global catalogue. This is so it can look for the attributes like UID or GID so on.

On an external trust type relationship, we lack permission to do this because of the trust type.

A gconfig was added to OneFS 8.1.2 to allow users in external trusted domains where RFC2307 is enabled to authenticate to the cluster.

For two-way external trusts, clusters must be running OneFS version 8.1.2 or newer. Also, the following gconfig must be enabled:

registry.Services.lsass.Parameters.AdditionalFlags

This can be set as follows:

isi_gconfig registry.Services.lsass.Parameters.AdditionalFlags=1

For one-way external trusts, clusters must be running OneFS 9.5.0.4 or newer and the gconfig above must be enabled.