Bug 1187192

Summary: IPA initgroups don't work correctly in non-default view
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: drieden, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.2-55.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:35:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2015-01-29 14:16:51 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2571

When a client is a member of a non-default view, the initgroups operation for IPA users currently doesn't work well, because we don't store the overrideDN attributes automagically.
Comment 2 Jakub Hrozek 2015-01-30 12:33:49 UTC 
Fixed upstream:

* master:
 * b2c3722b9a1eaf265f6b102043958f6d4378788c
 * 108db0e3b9e06e530364ef8228634f5e3f6bd3b5
* sssd-1-12:
 * d18bd28fb09f104e2b13382c430247cad731f867
 * 74d708790a202b78242bd2951178f0a2483327be
Comment 4 Steeve Goveas 2015-01-30 19:33:20 UTC 
* With un patched version

[root@loki ~]# rpm -q sssd
sssd-1.12.2-52.el7.x86_64

On Client
[root@loki ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@loki ~]# id tuser
uid=1629000008(tuser) gid=1629000008(tuser) groups=1629000008(tuser),1629000010(group2),1629000009(grp1)

On Server
[root@django ~]# ipa idview-add bugview
-----------------------
Added ID View "bugview"
-----------------------
  ID View Name: bugview

[root@django ~]# ipa idview-apply bugview --hosts loki.ipanew.test
-------------------------
Applied ID View "bugview"
-------------------------
  hosts: loki.ipanew.test
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

[root@django ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

On Client
[root@loki ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@loki ~]# id tuser
uid=1629000008(tuser) gid=1629000008(tuser) groups=1629000008(tuser)


* Verified in fixed version

[root@bumblebee ~]# rpm -q sssd
sssd-1.12.2-55.el7.x86_64

[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@bumblebee ~]# id ipauser1
uid=1707800004(ipauser1) gid=1707800004(ipauser1) groups=1707800004(ipauser1),1707800007(ipagroup2),1707800006(ipagroup1)


On Server
[root@vm-idm-019 ~]# ipa idview-show hostview
  ID View Name: hostview

[root@vm-idm-019 ~]# ipa idview-apply hostview --hosts bumblebee.ipaviews.test
--------------------------
Applied ID View "hostview"
--------------------------
  hosts: bumblebee.ipaviews.test
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

[root@vm-idm-019 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

On Client
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@bumblebee ~]# id ipauser1
uid=1707800004(ipauser1) gid=1707800004(ipauser1) groups=1707800004(ipauser1),1707800007(ipagroup2),1707800006(ipagroup1)
Comment 6 errata-xmlrpc 2015-03-05 10:35:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html