Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1118257
Description of problem: Users from IPA groups, added to netgroups are not resovable. Version-Release number of selected component (if applicable): ipa-server-3.3.3-28.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Create a group and add users to that group 2. Creat a netgroup 3. Add the group as a member of the netgroup 4. Add a user as a memeber of the netgroup 5. Do getent for that netgroup [root@hp-ms-01-c40 ~]# ipa group-add testgrp --desc="test group" --------------------- Added group "testgrp" --------------------- Group name: testgrp Description: test group GID: 1945600012 [root@hp-ms-01-c40 ~]# ipa group-add-member --users={user1,user2} testgrp Group name: testgrp Description: test group GID: 1945600012 Member users: user1, user2 ------------------------- Number of members added 2 ------------------------- [root@hp-ms-01-c40 ~]# ipa netgroup-add-member --group testgrp ng001 Netgroup name: ng001 Description: testing ng NIS domain name: steeve06171722.test Host category: all Member User: ipahttpuser1 Member Group: testgrp ------------------------- Number of members added 1 ------------------------- [root@hp-ms-01-c40 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service Actual results: [root@hp-ms-01-c40 ~]# getent netgroup ng001 ng001 (-,ipahttpuser1,steeve06171722.test) Expected results: [root@ibm-x3650m4 ~]# getent netgroup ng001 ng001 ( , ipahttpuser1, steeve06171722.test) ( , user1, steeve06171722.test) ( , user2, steeve06171722.test) Additional info:
FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.
This is caused by a bug in SSSD, it does not handle nesting in netgroups, see https://fedorahosted.org/sssd/ticket/2275.
Related SSSD ticket/Bugzilla was moved post SSSD 1.12, thus moving to later release to reflect it.
During processing of remaining tickets in 4.2 Backlog, this ticket was found as suitable to be fixed in the nearest bugfixing branch - which is 4.2.x.
FreeIPA 4.2.1 was released, moving to 4.2.x.
related SSSD ticket is fixed, moving for re-triage to evaluate it.
update required SSSD version or close the ticket if already done
ipa-4-3:
master:
ipa-4-2:
Metadata Update from @dpal: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.