Bug 1154042

Summary: RHEL6.6 sssd (1.11) doesn't return all group memberships against an IPA server
Product: Red Hat Enterprise Linux 6 Reporter: Christos Triantafyllidis <ctrianta>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.6CC: ekeck, gagriogi, grajaiya, jbiao, jbuchta, jgalipea, jhrozek, ksiddiqu, lslebodn, mkosek, nsoman, pbrezina, preichl, striker
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.11.6-33.el6 Doc Type: Bug Fix
Doc Text:
Already released via ZStream
 Story Points: ---
Clone Of:
: 1165074 (view as bug list) Environment:
Last Closed: 2015-07-22 06:41:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1159926, 1165074    
Attachments:
Description Flags
console output with verification steps none

Description Christos Triantafyllidis 2014-10-17 11:34:53 UTC 
Description of problem:
Customer updated his 6.5 clients to 6.6 and after that not all groups are returned on id or id -G commands.



Version-Release number of selected component (if applicable):
sssd-1.11.6-30.el6.x86_64

How reproducible:
Everytime in customers environment

Steps to Reproduce:
1. Not clear, for customer just updating to 1.11 packages is sufficient

Actual results:
If we clean cache and remove the local cache database the users appear to be members of their primary group only.

Expected results:
All groups should be returned.

Additional info:
getent group groupname does return the correct output and after that the id command returns that group too.

Logs, config, command outputs will follow
Comment 10 Jakub Hrozek 2014-10-21 12:47:38 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2471
Comment 19 Jakub Hrozek 2014-11-05 14:07:31 UTC 
* master: 3937736546e2a4b7cccc58fded3efdff9ae690fc
Comment 20 Jakub Hrozek 2014-11-05 14:32:31 UTC 
Here are test builds:
https://jhrozek.fedorapeople.org/sssd-test-builds/sssd-6.6-ipa-group-fix/

Please note that this fix applies for users who run the IPA provider only.

If there are problems with the LDAP provider connected to an AD server, you are probably looking for bug https://bugzilla.redhat.com/show_bug.cgi?id=1160713
Comment 32 Kaleem 2015-04-08 11:10:30 UTC 
Verified.

SSSD version:
=============

[root@dhcp207-229 ~]# rpm -q sssd
sssd-1.12.4-25.el6.x86_64
[root@dhcp207-229 ~]#

[root@dhcp207-229 ~]# ipa user-show testuser1
  User login: testuser1
  First name: test
  Last name: user1
  Home directory: /home/testuser1
  Login shell: /bin/sh
  Email address: testuser1
  UID: 1121600001
  GID: 1121600001
  Account disabled: False
  Password: False
  Member of groups: ipausers, testgrp1, testgrp2, testgrp3, testgrp4, testgrp5, testgrp6, testgrp7, testgrp8, testgrp9, testgrp10, testgrp11
  Roles: testgrp1
  Kerberos keys available: False
[root@dhcp207-229 ~]# id testuser1
uid=527200001(testuser1) gid=527200001(testuser1) groups=527200001(testuser1),527200005(testgrp2),527200009(testgrp6),527200004(testgrp1),527200008(testgrp5),527200012(testgrp9),527200007(testgrp4),527200011(testgrp8),527200013(testgrp10),527200006(testgrp3),527200010(testgrp7),527200014(testgrp11)
[root@dhcp207-229 ~]#
Comment 33 Kaleem 2015-04-08 11:11:21 UTC 
Created attachment 1012168 [details]
console output with verification steps
Comment 35 errata-xmlrpc 2015-07-22 06:41:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1448.html