Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 995389
Description of problem: IPA v3.0 domain and sssd on EL6, some posix users in nested groups aren't showed in a "final" posix group, eg: user1, user2 are members of group1, user3, user4 are members of group2 and user5, group1 and group2 are members of group3, when i type "getent group" on a EL6 ipa client, group3 show only user5, user1 and user2 as member, when i log in with user 3 and i type "groups", group3 is not displayed. for another group, group4 (with group1 as nested group and group5 ), all users are displayed correctly. After some others tests, it seems that "normal" (in opposition to posix) nested groups that are not expanded. Version-Release number of selected component (if applicable): How reproducible: Always for non posix nested groups Steps to Reproduce: 1. choose a user and login on a IPA client box 2. type "groups" command a see if all groups are displayed 3. type "getent group" command and see if all users are displeyed in all groups Actual results: [user3@srv01 ~]$ groups groupE groupA groupC groupB Expected results: [user3@srv01 ~]$ groups group3 groupE groupA groupC groupB Additional info: libsss_autofs.x86_64 1.9.2-82.7.el6_4 libsss_idmap.x86_64 1.9.2-82.7.el6_4 sssd.x86_64 1.9.2-82.7.el6_4 sssd-client.x86_64 1.9.2-82.7.el6_4 sssd-tools.x86_64 1.9.2-82.7.el6_4 On EL6 IPAv3 server [user1@ds01 ~]$ ipa user-show user1 Identifiant de connexion: user1 Pr?nom: User Nom: One R?pertoire utilisateur: /home/user1 Shell de connexion: /bin/bash Adresse courriel: user1@example.com UID: 500200021 GID: 500200000 Compte d?sactiv?: False Mot de passe: True Membre des groupes: group1, ipausers Indirect Member of group: group3, groupD, groupA, groupC, groupB Indirect Member of Sudo rule: group1_sudo Indirect Member of HBAC rule: allow_all_to_group1 [user1@ds01 ~]$ ipa user-show user3 Identifiant de connexion: user3 Pr?nom: User Nom: Three R?pertoire utilisateur: /home/user3 Shell de connexion: /bin/bash Adresse courriel: user3@example.com UID: 500200017 GID: 500200010 Compte d?sactiv?: False Mot de passe: True Membre des groupes: groupE, ipausers, groupA, groupB Indirect Member of group: groupA, groupC, groupB, group3 Indirect Member of Sudo rule: manage_jbossas, kill_jbossas Indirect Member of HBAC rule: allow_xxx, allow_yyy Cl?s Kerberos disponibles: True [user1@ds01 ~]$ ipa group-show group1 Nom du groupe: group1 Description: Account administrators group GID: 500200000 Utilisateurs membres: user1, user2 Membre des groupes: group3, groupx, groupy, groupz Member of Sudo rule: group1_sudo Member of HBAC rule: allow_xxx_to_group1 [user1@ds01 ~]$ ipa group-show group2 Nom du groupe: group2 Description: Full access to xxx servers. Utilisateurs membres: user3, user4 Membre des groupes: group3 Member of Sudo rule: manage_jbossas, kill_jbossas Member of HBAC rule: allow_xxx_to_group2 [user1@ds01 ~]$ ipa group-show group3 Nom du groupe: group3 Description: xxx group GID: 2000 Utilisateurs membres: user6 Groupes membres: group2, group1 Utilisateurs membres indirects: user3, user4, user1, user2 On EL6 client: [root@srv01 ~]# su - user1 [user1@srv01 ~]$ id uid=500200021(user1) gid=500200000(group1) groupes=500200000(group1),2000(group 3),2001(groupD),2002(groupA),2003(groupC),2004(groupB) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [user1@srv01 ~]$ groups group1 group3 groupD groupA groupC groupB [user1@srv01 ~]$ getent group group3 group3:x:2000: [user1@srv01 ~]$ getent group | grep group3 group3:x:2000: group3:*:2000:user2,user1 [user1@srv01 ~]$ exit logout [root@srv01 user1]# su - user3 [user3@srv01 ~]$ id uid=500200017(user3) gid=500200010(groupE) groupes=500200010(groupE),2002(groupA),2003(groupC),2004(groupB) contexte=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [user3@srv01 ~]$ groups groupE groupA groupC groupB [user3@srv01 ~]$ getent group group3 group3:x:2000: [user3@srv01 ~]$ getent group | grep group3 group3:x:2000: group3:*:2000:user2,user1 [user3@srv01 ~]$ exit logout
Related to #2117
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => milestone: NEEDS_TRIAGE => SSSD 1.12 beta review: True => 0 selected: => testsupdated: => 0 type: defect => enhancement
Fields changed
milestone: SSSD 1.12 beta => SSSD 1.12.1
This ticket should be a defect.
Pavel, can you check if it makes sense to fix together with your work on #2343 ?
cc: => preichl type: enhancement => defect
Mass-moving all tickets that didn't make 1.12.1 into 1.12.2
milestone: SSSD 1.12.1 => SSSD 1.12.2
I'm quite sure this is a duplicate of #2343.
resolution: => duplicate status: new => closed
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.12.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3328
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.