#4436 Users in ipa groups, added to netgroups are not resovable
Closed: Fixed None Opened 9 years ago by dpal.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1118257

Description of problem:
Users from IPA groups, added to netgroups are not resovable.

Version-Release number of selected component (if applicable):
ipa-server-3.3.3-28.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Create a group and add users to that group
2. Creat a netgroup
3. Add the group as a member of the netgroup
4. Add a user as a memeber of the netgroup
5. Do getent for that netgroup

[root@hp-ms-01-c40 ~]# ipa group-add testgrp --desc="test group"
---------------------
Added group "testgrp"
---------------------
  Group name: testgrp
  Description: test group
  GID: 1945600012

[root@hp-ms-01-c40 ~]# ipa group-add-member --users={user1,user2} testgrp
  Group name: testgrp
  Description: test group
  GID: 1945600012
  Member users: user1, user2
-------------------------
Number of members added 2
-------------------------

[root@hp-ms-01-c40 ~]# ipa netgroup-add-member --group testgrp ng001
  Netgroup name: ng001
  Description: testing ng
  NIS domain name: steeve06171722.test
  Host category: all
  Member User: ipahttpuser1
  Member Group: testgrp
-------------------------
Number of members added 1
-------------------------

[root@hp-ms-01-c40 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*;
service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service


Actual results:
[root@hp-ms-01-c40 ~]# getent netgroup ng001
ng001                 (-,ipahttpuser1,steeve06171722.test)

Expected results:
[root@ibm-x3650m4 ~]# getent netgroup ng001
ng001                 ( , ipahttpuser1, steeve06171722.test) ( , user1,
steeve06171722.test) ( , user2, steeve06171722.test)

Additional info:

FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.

This is caused by a bug in SSSD, it does not handle nesting in netgroups, see https://fedorahosted.org/sssd/ticket/2275.

Related SSSD ticket/Bugzilla was moved post SSSD 1.12, thus moving to later release to reflect it.

During processing of remaining tickets in 4.2 Backlog, this ticket was found as suitable to be fixed in the nearest bugfixing branch - which is 4.2.x.

FreeIPA 4.2.1 was released, moving to 4.2.x.

related SSSD ticket is fixed, moving for re-triage to evaluate it.

update required SSSD version or close the ticket if already done

ipa-4-3:

  • eb187e9 slapi-nis: update configuration to allow external members of IPA groups
  • 5e2c6b0 spec: Bump required sssd version to 1.13.3-5

master:

  • 1353847 slapi-nis: update configuration to allow external members of IPA groups
  • 271086e spec: Bump required sssd version to 1.13.3-5

ipa-4-2:

  • fea62ea spec: Bump required sssd version to 1.13.3-5
  • dbea05e slapi-nis: update configuration to allow external members of IPA groups

Metadata Update from @dpal:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.4

7 years ago

Login to comment on this ticket.

Metadata