Issue #2633: Group resolution is inconsistent with group overrides - sssd

SSSD / sssd

#2633 Group resolution is inconsistent with group overrides

Closed: Fixed None Opened 9 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1214719

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

+++ This bug was initially created as a clone of Bug #1213947 +++

Description of problem:
If id user is run first, then all groups are resolved without the group
override for the user's group. Running getent for the group on an empty cache
applies the override but id for the user does not resolve all group
memberships.

Version-Release number of selected component (if applicable):
[root@ibm-x3250m4-04 ~]# rpm -q sssd ipa-client
sssd-1.12.4-29.el6.x86_64
ipa-client-3.0.0-46.el6.x86_64

How reproducible:
always

Steps to Reproduce:

On Server

* No other view applied on any client host

[root@sideswipe ~]# ipa idoverridegroup-find 'default trust view'
----------------------------
2 Group ID overrides matched
----------------------------
  Anchor to override: adgroup1@adtest.qe
  GID: 12121212

  Anchor to override: adgroup1@pune.adtest.qe
  GID: 78787878
----------------------------
Number of entries returned 2
----------------------------

[root@sideswipe ~]# ipa idoverrideuser-find 'default trust view'
---------------------------
4 User ID overrides matched
---------------------------
  Anchor to override: aduser07@adtest.qe
  User login: syncuser07

  Anchor to override: aduser1@adtest.qe
  UID: 1902400018
  GID: 1902400018
  Home directory: /home/aduser1

  Anchor to override: aduser1@pune.adtest.qe
  UID: 999999991
  GID: 999999991
  Home directory: /home/pune/aduser1
  Login shell: /bin/tcsh

  Anchor to override: aduser2@adtest.qe
  UID: 1902400017
  GID: 1902400017
  Home directory: /home/aduser2
----------------------------
Number of entries returned 4
----------------------------
[root@sideswipe ~]# service sssd stop ; rm -f /var/lib/sss/{db,mc}/* ; service
sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

On Client1

[root@ibm-x3250m4-04 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*;
service sssd start
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@ibm-x3250m4-04 ~]# id aduser1@pune.adtest.qe
uid=999999991(aduser1@pune.adtest.qe) gid=999999991(aduser1@pune.adtest.qe) gro
ups=999999991(aduser1@pune.adtest.qe),1148402424(adunigroup1@adtest.qe),8390011
72(adgroup2@pune.adtest.qe),839001120(adgroup1@pune.adtest.qe),839000513(domain
users@pune.adtest.qe)

[root@ibm-x3250m4-04 ~]# getent group adgroup1@pune.adtest.qe
adgroup1@pune.adtest.qe:*:839001120:aduser1@pune.adtest.qe,aduser2@pune.adtest.
qe

[root@ibm-x3250m4-04 ~]# getent group adgroup1@adtest.qe
adgroup1@adtest.qe:*:12121212:aduser2@adtest.qe,aduser1@adtest.qe


* Clear sssd cache on server and client

[root@ibm-x3250m4-04 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*;
service sssd start
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@ibm-x3250m4-04 ~]# getent group adgroup1@pune.adtest.qe
adgroup1@pune.adtest.qe:*:78787878:aduser1@pune.adtest.qe,aduser2@pune.adtest.q
e

[root@ibm-x3250m4-04 ~]# id aduser1@pune.adtest.qe
uid=999999991(aduser1@pune.adtest.qe) gid=999999991(aduser1@pune.adtest.qe)
groups=999999991(aduser1@pune.adtest.qe),78787878(adgroup1@pune.adtest.qe)

[root@ibm-x3250m4-04 ~]# getent group adgroup1@adtest.qe
adgroup1@adtest.qe:*:12121212:aduser2@adtest.qe,aduser1@adtest.qe

--- Additional comment from RHEL Product and Program Management on 2015-04-21
11:31:12 EDT ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

jhrozek commented 9 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1213947 (Red Hat Enterprise Linux 6)

rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1214719 1214719] => [https://bugzilla.redhat.com/show_bug.cgi?id=1214719 1214719], [https://bugzilla.redhat.com/show_bug.cgi?id=1213947 1213947]

sbose commented 8 years ago

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
patch: 0 => 1
review: True => 0
selected: =>
testsupdated: => 0

sbose commented 8 years ago

Fields changed

owner: somebody => sbose
status: new => assigned

jhrozek commented 8 years ago

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

jhrozek commented 8 years ago

master:
- 2263c6d
- 1455780
- cffe313
- e87badc
sssd-1-12:
- eaf6568
- 58a19d5
- f643fad
- 24905d4

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.5

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3674

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

sbose

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

SSSD 1.12.5

type

defect

component

SSSD

version

None

selected

None

testsupdated

patch

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1214719, https://bugzilla.redhat.com/show_bug.cgi?id=1213947

design_review

review

changelog

None

keywords

None

coverity

None

mark

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#2633 Group resolution is inconsistent with group overrides Closed: Fixed None Opened 9 years ago by jhrozek.

Metadata

#2633 Group resolution is inconsistent with group overrides

Closed: Fixed None Opened 9 years ago by jhrozek.