Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1364596
Description of problem: I am seeing sssd still show a user as a member of a group after it was removed from the group and "sss_cache -UG" is run. Running the Web_App_Authentication tests, the LookupUserGroup tests are showing a user still is a member of a group after it is removed. Even running sss_cache doesn't change that. During the tests, I ses the first group membership change reflected immediately. When the user is removed from the last group, though, it is still seen as a member. Version-Release number of selected component (if applicable): sssd-1.14.0-14.el7.x86_64 mod_lookup_identity-0.9.5-1.el7.x86_64 sssd-dbus-1.14.0-14.el7.x86_64 How reproducible: always Steps to Reproduce: ON IPA Master host: 1. ipa-server-install ON Web server 2. ipa-client-install 3. yum -y install httpd mod_ssl mod_authnz_pam mod_lookup_identity sssd-dbus 4. yum remove mod_nss 5. Setup minimal web app http config: [root@rhel7-2 ~]# cat /etc/httpd/conf.d/app1.conf LoadModule authnz_pam_module modules/mod_authnz_pam.so LoadModule lookup_identity_module modules/mod_lookup_identity.so <Location /app1> AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService app1 Require valid-user ErrorDocument 401 'FAIL' LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr firstname REMOTE_USER_FIRSTNAME LookupUserAttr lastname REMOTE_USER_LASTNAME LookupUserGroups REMOTE_USER_GROUPS ":" LookupUserGroupsIter REMOTE_USER_GROUPS LookupUserGroups REMOTE_USER_GROUPS ":" LookupUserGroupsIter REMOTE_USER_GROUPS </Location> <Directory /var/www/html/app1> Options +Includes AddType text/html .shtml AddOutputFilter INCLUDES .shtml </Directory> 6. Setup shtml file with SSI to show vars [root@rhel7-2 ~]# cat /var/www/html/app1/index.shtml <html> <body> REMOTE_ADDR=<!--#echo var="REMOTE_ADDR"--> REMOTE_PORT=<!--#echo var="REMOTE_PORT"--> REMOTE_USER=<!--#echo var="REMOTE_USER"--> REMOTE_USER_FIRSTNAME=<!--#echo var="REMOTE_USER_FIRSTNAME"--> REMOTE_USER_LASTNAME=<!--#echo var="REMOTE_USER_LASTNAME"--> REMOTE_USER_GROUPS=<!--#echo var="REMOTE_USER_GROUPS"--> REMOTE_USER_GROUPS_1=<!--#echo var="REMOTE_USER_GROUPS_1"--> REMOTE_USER_GROUPS_N=<!--#echo var="REMOTE_USER_GROUPS_N"--> </body> </html> 7. kinit admin 8. ipa user-add webuser --first=web --last=user --password 9. kinit webuser 10. ipa group-add webgroup1 11. ipa group-add webgroup2 12. ipa group-add-member webgroup1 --users=webuser 13. ipa group-add-member webgroup2 --users=webuser 14. curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml 15. ipa group-remove-member webgroup2 --users=webuser 16. curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml 17. ipa group-remove-member webgroup1 --users=webuser 18. curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml 19. sss_cache -UG 20. curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml Actual results: Step 18 and 20 both show the user still as a member of webgroup1. Expected results: I would expect at least after invalidating all users/groups that it would be looked up again and no group membership show. Additional info:
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => pcech review: True => 0 selected: => testsupdated: => 0
status: new => assigned
Petr is already working on this ticket.
milestone: NEEDS_TRIAGE => SSSD 1.14.3
Reproducer for bash is (not always working):
# !/bin/bash # PREPARING ipa user-add --first=Test --last=User --email=tu1@domain.sssd testuser ipa group-add testgroup # REPRODUCER systemctl daemon-reload sudo su -c "truncate -s0 /var/log/sssd/*.log" sudo su -c "rm -f /var/lib/sss/db/*" sudo su -c "rm -f /var/lib/sss/mc/*" systemctl restart sssd date && getent group testgroup ipa group-add-member --users=testuser testgroup sss_cache -UG && getent group testgroup ipa group-remove-member --users=testuser testgroup sss_cache -UG && getent group testgroup # CLEANING ipa group-del testgroup ipa user-del testuser
Configuration:
[domain/ipa.beta] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = beta id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = mirach.beta chpass_provider = ipa dyndns_update = True ipa_server = _srv_, algol.beta dyndns_iface = ens3 ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 0xFFFF0 [sssd] services = nss, sudo, pam, ssh domains = ipa.beta debug_level = 0xFFFFF0 [nss] homedir_substring = /home
If testuser isn't removed we can see this in cache db:
dn: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb createTimestamp: 1477042908 fullName: Test User gecos: Test User gidNumber: 1703800527 homeDirectory: /home/testuser loginShell: /bin/sh name: testuser@ipa.beta objectClass: user uidNumber: 1703800527 uniqueID: 953acf6e-9772-11e6-af3e-5254001a3efa originalDN: uid=testuser,cn=users,cn=accounts,dc=beta originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=beta originalModifyTimestamp: 20161021094146Z entryUSN: 27047 userPrincipalName: testuser@BETA mail: tu1@domain.sssd nameAlias: testuser@ipa.beta lastUpdate: 1477042908 dataExpireTimestamp: 1477048308 overrideDN: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb memberof: name=ipausers@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb memberof: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb initgrExpireTimestamp: 1477048308 distinguishedName: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb dn: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb createTimestamp: 1477042908 gidNumber: 1703800527 name: testuser@ipa.beta objectClass: group uniqueID: 9540c752-9772-11e6-af3e-5254001a3efa isPosix: TRUE originalDN: cn=testuser,cn=groups,cn=accounts,dc=beta originalModifyTimestamp: 20161021094146Z entryUSN: 27039 nameAlias: testuser@ipa.beta lastUpdate: 1477042908 dataExpireTimestamp: 1477048308 overrideDN: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb distinguishedName: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb dn: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb createTimestamp: 1477042908 gidNumber: 1703800528 name: testgroup@ipa.beta objectClass: group uniqueID: 9597bcba-9772-11e6-8594-5254001a3efa isPosix: TRUE originalDN: cn=testgroup,cn=groups,cn=accounts,dc=beta nameAlias: testgroup@ipa.beta overrideDN: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb originalModifyTimestamp: 20161021094148Z entryUSN: 27062 orig_member: uid=testuser,cn=users,cn=accounts,dc=beta lastUpdate: 1477042909 dataExpireTimestamp: 1477048309 member: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb memberuid: testuser@ipa.beta distinguishedName: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
Metadata Update from @jhrozek: - Issue assigned to pcech - Issue set to the milestone: SSSD 1.14.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4255
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @pbrezina: - Issue close_status updated to: cloned-to-github - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.