Bug 1092766

Summary: Simple access fails to look up primary group when using sssd-ad until running the id command.
Product: Red Hat Enterprise Linux 6 Reporter: hgraham
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: dlavu, dpal, grajaiya, jgalipea, lslebodn, mkosek, pbrezina, preichl, striker
Target Milestone: rc   
Target Release: 6.6   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.11.6-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: Processing of group membership for user might have been ended prematurely for users with posix attributes and with disabled ID mapping. Consequence: Primary group of user need not been resolved properly and thus simple access provider might have failed. Fix: Cause of premature end of group resolving was fixed. Result: Simple access provider is now always provided with primary group of users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:48:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description hgraham 2014-04-30 00:19:28 UTC 
Description of problem:
When attempting to login in the morning (most likely empty cache) access is denied by the simple access provider until logging in as root and running "id username" on the user. After this access is allowed. This is occurring on all 4 servers. SSSD is configured using sssd-ad and access is restricted using simple access with the user's primary group listed for simple access.  

This looks like a degradation of bug 670763 or something similar that wasn't fixed for sssd-ad

Version-Release number of selected component (if applicable):
sssd-1.9.2-129.el6_5.4.x86_64

How reproducible:
I had the customer use the following:
https://access.redhat.com/site/articles/704743

Steps to Reproduce:
1.
2.
3.

Actual results:
required to run "id username" before simple access succeeds

Expected results:
access is allowed everytime

Additional info:
The sssd.conf configuration

[domain/default]
id_provider = ad
ldap_id_mapping = False
ldap_schema = ad
access_provider = simple
simple_allow_groups = primarygroup
ad_server = adserver.domain
ad_domain = DOMAIN
debug_level = 9


[sssd]
services = nss, pam
config_file_version = 2
debug_level = 9
domains = default

[nss]
debug_level = 9
[pam]
debug_level = 9

[sudo]
debug_level = 9
Comment 4 Pavel Reichl 2014-05-15 11:53:43 UTC 
Hello Henry,

I have a local replication of the problem, so I'll try to investigate.

Regards,

Pavel Reichl
Comment 5 Jakub Hrozek 2014-05-15 11:58:19 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2334
Comment 6 Pavel Reichl 2014-05-15 14:27:09 UTC 
Just to clarify replication - I believe this bug is happening only for users with POSIX attributes (please be sure to set "ldap_id_mapping = False" as Henry stated in 1st comment).
Comment 7 Jakub Hrozek 2014-06-02 10:25:23 UTC 
Fixed upstream:

* master: fc731b54cd74e6732f1e33c7cc4ed49cab0f7c90
* sssd-1-11: 356b2dc5b81b073cfe1734df656fd34bef61c39d
Comment 9 Dan Lavu 2014-08-04 20:12:16 UTC 
Verified, simple groups are working in sssd-client-1.11.6-14.el6.x86_64 on current RHEL 6.6 nightly. Regardless of which group the member is in, primary group, secondary or tertiary. Testing was done against AD 2k12 with UNIX attributes enabled.

Note, might want to modify the man page to give examples of adding groups with white spaces in the string. Spent sometime trying to escape the space or put the string "domain users" in quotes and single quotes, none of these worked but leaving it alone was successful. e.g. simple_allow_groups = domain users
Comment 12 errata-xmlrpc 2014-10-14 04:48:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html