#822 group memberships are not populated correctly during IPA provider initgroups
Closed: Fixed None Opened 13 years ago by jhrozek.

Consider the group ipausers which contains all the users on a typical IPA installation.

After login and initgroups, I can see I'm a member of different groups including ipausers which contains 100+ users in my case:

-sh-4.1$ id
uid=1060400019(membertest) gid=1060400019(membertest) groups=1060400019(membertest),1060400001(ipausers),1060400020(testgroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

But only this single user is a member of the group.

-sh-4.1$ getent group ipausers
ipausers:*:1060400001:membertest

In contrast, when I get the group info with cold cache, all the users are populated.

Right now, the code paths for IPA and AD are common. One solution might be to save the member attributes as we do now. If the code tries to save a user that is not cached yet, mark that group as expired. That would force a refresh next time getgrnam/getgrgid is called on that group.

That refresh might be expensive, but I think it is not a big penalty because this refresh is done when getgrnam/gid is called for a non-cached group anyway.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.5.3
owner: somebody => jhrozek

Fields changed

component: SSSD => IPA Provider

master: 24be43b

sssd1.5: ea65835

resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.5.4

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1864

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata