| Summary: | Users saved throug extop don't have the originalMemberOf attribute | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | drieden, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl, spoore |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.12.2-52.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:35:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Jakub Hrozek
2015-01-20 16:13:45 UTC
A patch is accepted upstream and was confirmed to fix the problem by both development and the user who initially reported the problem with 7.1 Beta packages. To verify, create an HBAC rule that allows an IPA group. Add an AD group as a member of this IPA group. Add an AD user as a member of the AD group. Verify that "id username" for the AD user shows the complete group membership, including the IPA group. Log in as the AD user. Before the patch, the user would be denied access and sssd_be would log an error DEBUG message saying "No groups for user". The patched packages should allow the user to log in as appropriate. master:
7543052f562f157f7b17fdc46a6777d80c0cb3bd
a4d64002b5ca763622bde240d27797d361ba0388
5f4d896ec8e06476f4282b562b1044de14c48ecf
sssd-1-12:
dcc99fc87bc7ec44fdc8ec897218384cc274d4dd
2eb78055d7a344c0ef58adbaa84dac86df13174e
70ec6df14be2ddc26147095e260b4f9c7e606a6b
Additional patch landed in -45 Additional fixes landed in the latest build. Verified. Version :: sssd-1.12.2-52.el7.x86_64 Results :: [root@vm7 sssd]# ipa group-add --desc=0 hbacgroup2 ------------------------ Added group "hbacgroup2" ------------------------ Group name: hbacgroup2 Description: 0 GID: 1436400005 [root@vm7 sssd]# ipa group-add --desc=0 hbacgroup2_external --external --------------------------------- Added group "hbacgroup2_external" --------------------------------- Group name: hbacgroup2_external Description: 0 [root@vm7 sssd]# ipa group-add-member hbacgroup2 --groups=hbacgroup2_external Group name: hbacgroup2 Description: 0 GID: 1436400005 Member groups: hbacgroup2_external ------------------------- Number of members added 1 ------------------------- [root@vm7 sssd]# ipa group-add-member hbacgroup2_external --external=mygroup2.com --users='' --groups='' Group name: hbacgroup2_external Description: 0 External member: S-1-5-21-663451879-2037396169-3163888224-1125 Member of groups: hbacgroup2 ------------------------- Number of members added 1 ------------------------- [root@vm7 sssd]# ipa hbacrule-add-user hbactest --groups=hbacgroup2 Rule name: hbactest Host category: all Service category: all Enabled: TRUE User Groups: hbacgroup, hbacgroup2 ------------------------- Number of members added 1 ------------------------- [root@vm7 sssd]# ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------ [root@vm7 sssd]# id 'ADROOT1\myuser2' uid=1108801126(myuser2.com) gid=1108801126(myuser2.com) groups=1108801126(myuser2.com),1108800513(domain users.com),1108801125(mygroup2.com),1436400005(hbacgroup2) [root@vm7 sssd]# ssh -l 'ADROOT1\myuser2' $(hostname) ADROOT1\myuser2.example.test's password: Creating home directory for ADROOT1\myuser2. -sh-4.2$ id uid=1108801126(myuser2.com) gid=1108801126(myuser2.com) groups=1108801126(myuser2.com),1108800513(domain users.com),1108801125(mygroup2.com),1436400005(hbacgroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@vm7 sssd]# cd /var/log/sssd [root@vm7 sssd]# grep "no groups" * [root@vm7 sssd]# grep "no groups" /var/log/messages [root@vm7 sssd]# grep "no groups" /var/log/secure [root@vm7 sssd]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html |