Bug 1171383

Summary: getent fails for posix group with AD users after login
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: sssdAssignee: Lukas Slebodnik <lslebodn>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.1CC: grajaiya, greartes, jhrozek, lslebodn, mkosek, mzidek, nsoman, ovasik, pbrezina, preichl, sbose, sssd-maint
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.2-38.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:35:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1030699    

Description Steeve Goveas 2014-12-06 07:49:20 UTC 
Description of problem:
After AD users login to ipa client, getent for that AD users group should show the users as members of that group

Version-Release number of selected component (if applicable):
sssd-1.12.2-28.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install IPA
2. Add Trust with AD
3. Add AD users to a Posix group via an external group
4. Login as AD users on the ipa client
5. Check getent for the posix group

Actual results:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_user_0017: ipa group shows ad users fully qualified
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'ssh_with_password aduser1 vm-idm-044.stv1911.test Secret123'
:: [ 13:39:19 ] :: Running: ssh -l "aduser1" vm-idm-044.stv1911.test "echo 'login successful'
:: [ 13:39:24 ] :: ssh login successful
:: [   PASS   ] :: Command 'ssh_with_password aduser1 vm-idm-044.stv1911.test Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh_with_password aduser2 vm-idm-044.stv1911.test Secret123'
:: [ 13:39:25 ] :: Running: ssh -l "aduser2" vm-idm-044.stv1911.test "echo 'login successful'
:: [ 13:39:28 ] :: ssh login successful
:: [   PASS   ] :: Command 'ssh_with_password aduser2 vm-idm-044.stv1911.test Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 10'
:: [   PASS   ] :: Command 'sleep 10' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'getent group tgroup5 > ipa_trust_func_user_0017.vOqzFP 2>&1'
:: [   PASS   ] :: Command 'getent group tgroup5 > ipa_trust_func_user_0017.vOqzFP 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat ipa_trust_func_user_0017.vOqzFP'
tgroup5:*:370800008:aduser2
:: [   PASS   ] :: Command 'cat ipa_trust_func_user_0017.vOqzFP' (Expected 0, got 0)
:: [   FAIL   ] :: File 'ipa_trust_func_user_0017.vOqzFP' should contain 'aduser1' 
:: [   PASS   ] :: File 'ipa_trust_func_user_0017.vOqzFP' should contain 'aduser2' 

Expected results:
getent for posix group should show both AD members

Additional info:
Comment 3 Jakub Hrozek 2014-12-10 17:27:55 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2524
Comment 5 Steeve Goveas 2015-01-07 15:54:59 UTC 
Verified in version
ipa-server-4.1.0-13.el7.x86_64
sssd-ipa-1.12.2-39.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_user_0017: ipa group shows ad users fully qualified
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start'
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Command 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh_with_password aduser1 vm-idm-013.stv1911.test Secret123'
:: [ 21:04:44 ] :: Running: ssh -l "aduser1" vm-idm-013.stv1911.test "echo 'login successful'

MARK-LWD-LOOP -- 2015-01-07 21:04:48 --
:: [ 21:04:51 ] :: ssh login successful
:: [   PASS   ] :: Command 'ssh_with_password aduser1 vm-idm-013.stv1911.test Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh_with_password aduser2 vm-idm-013.stv1911.test Secret123'
:: [ 21:04:51 ] :: Running: ssh -l "aduser2" vm-idm-013.stv1911.test "echo 'login successful'
:: [ 21:04:55 ] :: ssh login successful
:: [   PASS   ] :: Command 'ssh_with_password aduser2 vm-idm-013.stv1911.test Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 10'
:: [   PASS   ] :: Command 'sleep 10' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'getent group tgroup5 > ipa_trust_func_user_0017.eVxB4F 2>&1'
:: [   PASS   ] :: Command 'getent group tgroup5 > ipa_trust_func_user_0017.eVxB4F 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'cat ipa_trust_func_user_0017.eVxB4F'
tgroup5:*:761000008:aduser1,aduser2
:: [   PASS   ] :: Command 'cat ipa_trust_func_user_0017.eVxB4F' (Expected 0, got 0)
:: [   PASS   ] :: File 'ipa_trust_func_user_0017.eVxB4F' should contain 'aduser1' 
:: [   PASS   ] :: File 'ipa_trust_func_user_0017.eVxB4F' should contain 'aduser2'
Comment 7 errata-xmlrpc 2015-03-05 10:35:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html