Bug 1139044

Summary:	RHEL6.6 ipa user private group not found
Product:	Red Hat Enterprise Linux 6	Reporter:	Scott Poore <spoore>
Component:	sssd	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED ERRATA	QA Contact:	Namita Soman <nsoman>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	6.6	CC:	dpal, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, pbrezina, preichl, rcritten, tlavigne
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	sssd-1.11.6-30.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-10-14 04:49:39 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Scott Poore 2014-09-07 19:26:05 UTC

Description of problem:

In IPA on RHEL6, I see errors logging in as a user:

[root@ipa slapd-EXAMPLE-COM]# ssh -l ipauser1 $(hostname)
ipauser1.com's password: 
Could not chdir to home directory /home/ipauser1: No such file or directory
id: cannot find name for group ID 982000001
-sh-4.1$ exit

From sssd log (from IPA client here) I see:

(Sun Sep  7 13:50:26 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipauser1)(objectclass=groupofnames)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=example,dc=com].

Checking the group info in IPA:

[root@ipa slapd-EXAMPLE-COM]# ipa group-show ipauser1 --all --raw
  dn: cn=ipauser1,cn=groups,cn=accounts,dc=example,dc=com
  cn: ipauser1
  description: User private group for ipauser1
  gidnumber: 982000001
  ipauniqueid: bbef789c-36be-11e4-a38e-0000c0a87a65
  mepmanagedby: uid=ipauser1,cn=users,cn=accounts,dc=example,dc=com
  objectclass: posixgroup
  objectclass: ipaobject
  objectclass: mepManagedEntry
  objectclass: top

I do not see objectclass groupofnames.

If I add that, I can start seeing user private group:

[root@ipa slapd-EXAMPLE-COM]# ldapmodify  -D "cn=Directory Manager" -w Secret123 <<EOF
dn: cn=ipauser1,cn=groups,cn=accounts,dc=example,dc=com
add: objectClass
objectClass: groupofnames
EOF

modifying entry "cn=ipauser1,cn=groups,cn=accounts,dc=example,dc=com"

[root@ipa slapd-EXAMPLE-COM]# getent group ipauser1
ipauser1:*:982000001:
[root@ipa slapd-EXAMPLE-COM]# ssh -l ipauser1 $(hostname)
ipauser1.com's password: 
Last login: Sun Sep  7 14:08:14 2014 from ipa.example.com
Could not chdir to home directory /home/ipauser1: No such file or directory
-sh-4.1$ 


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-42.el6.x86_64
sssd-1.11.6-29.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1. On RHEL6.6 server setup IPA server wtih DNS (ipa-server-install --setup-dns --forwarder=<IP> ...)
2. ipa user-add ipauser1 --first=f --last=l --password
3. kinit ipauser1 # set password
4. getent group ipauser1
5. ssh -l ipauser1 $(hostname)


Actual results:
cannot see user private group for ipauser1.

Expected results:
can see upg for ipauser1 without having to add groupaddnames manually


Additional info:

Comment 2 Rob Crittenden 2014-09-09 13:12:42 UTC

As a historical note, it was an architectual decision that user-private groups do not have the groupofnames objectclass. This is because this group can have no members.

Comment 3 Jakub Hrozek 2014-09-09 22:38:32 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2436

Comment 4 Jakub Hrozek 2014-09-15 08:26:03 UTC

Pushed upstream:
    master:
        6f91c61426c8cfbfec52d5e77ae4650007694e69
        7ba70236daccb48432350147d0560b3302518cee 
    sssd-1-11:
        cfa74fcb5f6ba23f41a9ddaa76c3ebae6156da86
        9e99c000a4e2647328e71b4db272b4b73a7189c5

Comment 6 Scott Poore 2014-09-15 21:55:37 UTC

Verified.

First, confirmed bug:

[root@rhel6-1 yum.local.d]# ipa user-add bz1139044user1 --first=f --last=l
---------------------------
Added user "bz1139044user1"
---------------------------
  User login: bz1139044user1
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/bz1139044user1
  GECOS field: f l
  Login shell: /bin/sh
  Kerberos principal: bz1139044user1
  Email address: bz1139044user1
  UID: 1145200001
  GID: 1145200001
  Password: False
  Kerberos keys available: False

[root@rhel6-1 yum.local.d]# ipa passwd bz1139044user1
New Password: 
Enter New Password again to verify: 
---------------------------------------------------
Changed password for "bz1139044user1"
---------------------------------------------------

[root@rhel6-1 yum.local.d]# kinit bz1139044user1
Password for bz1139044user1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel6-1 yum.local.d]# ssh -l bz1139044user1 $(hostname)
Could not chdir to home directory /home/bz1139044user1: No such file or directory
id: cannot find name for group ID 1145200001

-sh-4.1$ id
uid=1145200001(bz1139044user1) gid=1145200001 groups=1145200001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ exit

Then update SSSD:

[root@rhel6-1 yum.repos.d]# yum update sssd
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Update Process
beaker-client                                                                   | 1.5 kB     00:00     
beaker-client/primary                                                           |  12 kB     00:00     
beaker-client                                                                                    55/55
beaker-rhel-6.6-latest-optional                                                 | 3.8 kB     00:00     
beaker-rhel-6.6-latest-optional/primary_db                                      | 1.2 MB     00:02     
beaker-rhel-6.6-latest-server                                                   | 4.1 kB     00:00     
beaker-rhel-6.6-latest-server/primary_db                                        | 3.1 MB     00:04     
mylocal                                                                         | 2.9 kB     00:00 ... 
mylocal/primary_db                                                              |  47 kB     00:00 ... 
Resolving Dependencies
--> Running transaction check
---> Package sssd.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd.x86_64 0:1.11.6-30.el6 will be an update
--> Processing Dependency: sssd-proxy = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-ldap = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-krb5 = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-ipa = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-common-pac = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-common = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-ad = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: python-sssdconfig = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Running transaction check
---> Package python-sssdconfig.noarch 0:1.11.6-29.el6 will be updated
---> Package python-sssdconfig.noarch 0:1.11.6-30.el6 will be an update
---> Package sssd-ad.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-ad.x86_64 0:1.11.6-30.el6 will be an update
--> Processing Dependency: sssd-krb5-common = 1.11.6-30.el6 for package: sssd-ad-1.11.6-30.el6.x86_64
---> Package sssd-common.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-common.x86_64 0:1.11.6-30.el6 will be an update
--> Processing Dependency: sssd-client(x86-64) = 1.11.6-30.el6 for package: sssd-common-1.11.6-30.el6.x86_64
--> Processing Dependency: libsss_idmap(x86-64) = 1.11.6-30.el6 for package: sssd-common-1.11.6-30.el6.x86_64
---> Package sssd-common-pac.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-common-pac.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-ipa.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-ipa.x86_64 0:1.11.6-30.el6 will be an update
--> Processing Dependency: libipa_hbac(x86-64) = 1.11.6-30.el6 for package: sssd-ipa-1.11.6-30.el6.x86_64
---> Package sssd-krb5.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-krb5.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-ldap.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-ldap.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-proxy.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-proxy.x86_64 0:1.11.6-30.el6 will be an update
--> Running transaction check
---> Package libipa_hbac.x86_64 0:1.11.6-29.el6 will be updated
--> Processing Dependency: libipa_hbac = 1.11.6-29.el6 for package: libipa_hbac-python-1.11.6-29.el6.x86_64
---> Package libipa_hbac.x86_64 0:1.11.6-30.el6 will be an update
---> Package libsss_idmap.x86_64 0:1.11.6-29.el6 will be updated
---> Package libsss_idmap.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-client.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-client.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-krb5-common.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-krb5-common.x86_64 0:1.11.6-30.el6 will be an update
--> Running transaction check
---> Package libipa_hbac-python.x86_64 0:1.11.6-29.el6 will be updated
---> Package libipa_hbac-python.x86_64 0:1.11.6-30.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                        Arch               Version                   Repository           Size
=======================================================================================================
Updating:
 sssd                           x86_64             1.11.6-30.el6             mylocal              87 k
Updating for dependencies:
 libipa_hbac                    x86_64             1.11.6-30.el6             mylocal              92 k
 libipa_hbac-python             x86_64             1.11.6-30.el6             mylocal              87 k
 libsss_idmap                   x86_64             1.11.6-30.el6             mylocal              97 k
 python-sssdconfig              noarch             1.11.6-30.el6             mylocal             119 k
 sssd-ad                        x86_64             1.11.6-30.el6             mylocal             141 k
 sssd-client                    x86_64             1.11.6-30.el6             mylocal             127 k
 sssd-common                    x86_64             1.11.6-30.el6             mylocal             831 k
 sssd-common-pac                x86_64             1.11.6-30.el6             mylocal             120 k
 sssd-ipa                       x86_64             1.11.6-30.el6             mylocal             194 k
 sssd-krb5                      x86_64             1.11.6-30.el6             mylocal             109 k
 sssd-krb5-common               x86_64             1.11.6-30.el6             mylocal             159 k
 sssd-ldap                      x86_64             1.11.6-30.el6             mylocal             166 k
 sssd-proxy                     x86_64             1.11.6-30.el6             mylocal             115 k

Transaction Summary
=======================================================================================================
Upgrade      14 Package(s)

Total download size: 2.4 M
Is this ok [y/N]: y
Downloading Packages:
-------------------------------------------------------------------------------------------------------
Total                                                                   72 MB/s | 2.4 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : libsss_idmap-1.11.6-30.el6.x86_64                                                  1/28 
  Updating   : libipa_hbac-1.11.6-30.el6.x86_64                                                   2/28 
  Updating   : python-sssdconfig-1.11.6-30.el6.noarch                                             3/28 
  Updating   : sssd-client-1.11.6-30.el6.x86_64                                                   4/28 
  Updating   : sssd-common-1.11.6-30.el6.x86_64                                                   5/28 
  Updating   : sssd-krb5-common-1.11.6-30.el6.x86_64                                              6/28 
  Updating   : sssd-common-pac-1.11.6-30.el6.x86_64                                               7/28 
  Updating   : sssd-ad-1.11.6-30.el6.x86_64                                                       8/28 
  Updating   : sssd-ipa-1.11.6-30.el6.x86_64                                                      9/28 
  Updating   : sssd-ldap-1.11.6-30.el6.x86_64                                                    10/28 
  Updating   : sssd-krb5-1.11.6-30.el6.x86_64                                                    11/28 
  Updating   : sssd-proxy-1.11.6-30.el6.x86_64                                                   12/28 
  Updating   : sssd-1.11.6-30.el6.x86_64                                                         13/28 
  Updating   : libipa_hbac-python-1.11.6-30.el6.x86_64                                           14/28 
  Cleanup    : sssd-1.11.6-29.el6.x86_64                                                         15/28 
  Cleanup    : sssd-ipa-1.11.6-29.el6.x86_64                                                     16/28 
  Cleanup    : sssd-ad-1.11.6-29.el6.x86_64                                                      17/28 
  Cleanup    : sssd-common-pac-1.11.6-29.el6.x86_64                                              18/28 
  Cleanup    : sssd-krb5-1.11.6-29.el6.x86_64                                                    19/28 
  Cleanup    : sssd-ldap-1.11.6-29.el6.x86_64                                                    20/28 
  Cleanup    : sssd-krb5-common-1.11.6-29.el6.x86_64                                             21/28 
  Cleanup    : sssd-proxy-1.11.6-29.el6.x86_64                                                   22/28 
  Cleanup    : sssd-common-1.11.6-29.el6.x86_64                                                  23/28 
  Cleanup    : libipa_hbac-python-1.11.6-29.el6.x86_64                                           24/28 
  Cleanup    : python-sssdconfig-1.11.6-29.el6.noarch                                            25/28 
  Cleanup    : libipa_hbac-1.11.6-29.el6.x86_64                                                  26/28 
  Cleanup    : libsss_idmap-1.11.6-29.el6.x86_64                                                 27/28 
  Cleanup    : sssd-client-1.11.6-29.el6.x86_64                                                  28/28 
  Verifying  : sssd-client-1.11.6-30.el6.x86_64                                                   1/28 
  Verifying  : sssd-common-1.11.6-30.el6.x86_64                                                   2/28 
  Verifying  : sssd-common-pac-1.11.6-30.el6.x86_64                                               3/28 
  Verifying  : sssd-1.11.6-30.el6.x86_64                                                          4/28 
  Verifying  : libipa_hbac-python-1.11.6-30.el6.x86_64                                            5/28 
  Verifying  : sssd-ldap-1.11.6-30.el6.x86_64                                                     6/28 
  Verifying  : sssd-krb5-1.11.6-30.el6.x86_64                                                     7/28 
  Verifying  : libsss_idmap-1.11.6-30.el6.x86_64                                                  8/28 
  Verifying  : sssd-proxy-1.11.6-30.el6.x86_64                                                    9/28 
  Verifying  : sssd-krb5-common-1.11.6-30.el6.x86_64                                             10/28 
  Verifying  : sssd-ad-1.11.6-30.el6.x86_64                                                      11/28 
  Verifying  : libipa_hbac-1.11.6-30.el6.x86_64                                                  12/28 
  Verifying  : python-sssdconfig-1.11.6-30.el6.noarch                                            13/28 
  Verifying  : sssd-ipa-1.11.6-30.el6.x86_64                                                     14/28 
  Verifying  : sssd-ad-1.11.6-29.el6.x86_64                                                      15/28 
  Verifying  : sssd-krb5-common-1.11.6-29.el6.x86_64                                             16/28 
  Verifying  : python-sssdconfig-1.11.6-29.el6.noarch                                            17/28 
  Verifying  : libipa_hbac-1.11.6-29.el6.x86_64                                                  18/28 
  Verifying  : sssd-proxy-1.11.6-29.el6.x86_64                                                   19/28 
  Verifying  : libsss_idmap-1.11.6-29.el6.x86_64                                                 20/28 
  Verifying  : sssd-ldap-1.11.6-29.el6.x86_64                                                    21/28 
  Verifying  : sssd-krb5-1.11.6-29.el6.x86_64                                                    22/28 
  Verifying  : libipa_hbac-python-1.11.6-29.el6.x86_64                                           23/28 
  Verifying  : sssd-common-1.11.6-29.el6.x86_64                                                  24/28 
  Verifying  : sssd-1.11.6-29.el6.x86_64                                                         25/28 
  Verifying  : sssd-client-1.11.6-29.el6.x86_64                                                  26/28 
  Verifying  : sssd-common-pac-1.11.6-29.el6.x86_64                                              27/28 
  Verifying  : sssd-ipa-1.11.6-29.el6.x86_64                                                     28/28 

Updated:
  sssd.x86_64 0:1.11.6-30.el6                                                                          

Dependency Updated:
  libipa_hbac.x86_64 0:1.11.6-30.el6                libipa_hbac-python.x86_64 0:1.11.6-30.el6          
  libsss_idmap.x86_64 0:1.11.6-30.el6               python-sssdconfig.noarch 0:1.11.6-30.el6           
  sssd-ad.x86_64 0:1.11.6-30.el6                    sssd-client.x86_64 0:1.11.6-30.el6                 
  sssd-common.x86_64 0:1.11.6-30.el6                sssd-common-pac.x86_64 0:1.11.6-30.el6             
  sssd-ipa.x86_64 0:1.11.6-30.el6                   sssd-krb5.x86_64 0:1.11.6-30.el6                   
  sssd-krb5-common.x86_64 0:1.11.6-30.el6           sssd-ldap.x86_64 0:1.11.6-30.el6                   
  sssd-proxy.x86_64 0:1.11.6-30.el6                

Complete!

Then verify the actual fix works:

[root@rhel6-1 yum.repos.d]# echo Secret123| kinit bz1139044user1
Password for bz1139044user1: 

[root@rhel6-1 yum.repos.d]# ssh -l bz1139044user1 $(hostname) id
Could not chdir to home directory /home/bz1139044user1: No such file or directory
uid=1145200001(bz1139044user1) gid=1145200001(bz1139044user1) groups=1145200001(bz1139044user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@rhel6-1 yum.repos.d]# 

I can see the private group name resolved above.

Comment 7 errata-xmlrpc 2014-10-14 04:49:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html