Bug 1213940

Summary: Overridde with --login fails trusted adusers group membership resolution
Product: Red Hat Enterprise Linux 6 Reporter: Steeve Goveas <sgoveas>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact: Tomas Capek <tcapek>
Priority: medium    
Version: 6.7CC: drieden, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, sbose, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.4-35.el6 Doc Type: Known Issue
Doc Text:
User login override fails trusted *adusers* group membership resolution If a user login is overriden by using the *--login* command-line parameter, then the group membership for this user will be incorrect until the user's first login.
 Story Points: ---
Clone Of:
: 1214673 1214718 (view as bug list) Environment:
Last Closed: 2016-05-10 20:22:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1214673, 1214718    

Description Steeve Goveas 2015-04-21 15:09:00 UTC 
Description of problem:
Override for trusted AD users with --login causes failure for group membership resolution prioir login

Version-Release number of selected component (if applicable):
[root@vm-idm-018 ~]# rpm -q sssd ipa-client
sssd-1.12.4-31.el6.x86_64
ipa-client-3.0.0-46.el6.x86_64

How reproducible:
always

Steps to Reproduce:

* On Server no override for aduser1.qe

[root@sideswipe ~]# ipa idoverrideuser-find 'default trust view' aduser1.qe
---------------------------
0 User ID overrides matched
---------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@sideswipe ~]# service sssd stop ; rm -f /var/lib/sss/{db,mc}/* ; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

* On Client group resolve prior to login works

[root@vm-idm-018 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[root@vm-idm-018 ~]# id aduser1.qe
uid=839001130(aduser1.qe) gid=839001130(aduser1.qe) groups=839001130(aduser1.qe),1148402424(adunigroup1),839001172(adgroup2.qe),839001120(adgroup1.qe),839000513(domain users.qe)


* On Server override added for aduser1.qe with login name puser1

[root@sideswipe ~]# ipa idoverrideuser-add 'default trust view' aduser1.qe --login puser1 -----------------------------------------------
Added User ID override "aduser1.qe"
-----------------------------------------------
  Anchor to override: aduser1.qe
  User login: puser1
[root@sideswipe ~]# service sssd stop ; rm -f /var/lib/sss/{db,mc}/* ; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

* On Client group resolve fails prior to login. Group membership are resolved after user does login

[root@vm-idm-018 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@vm-idm-018 ~]# id aduser1.qe
uid=839001130(puser1.qe) gid=839001130(puser1.qe) groups=839001130(puser1.qe),839000513(domain users.qe)

    * Restart sssd  on both server and client

[root@vm-idm-018 ~]# id puser1.qe
id: puser1.qe: No such user        # bz1213822

[root@vm-idm-018 ~]# id puser1.qe
uid=839001130(puser1.qe) gid=839001130(puser1.qe) groups=839001130(puser1.qe),839000513(domain users.qe)

    * Login as puser1 and then run id

[root@vm-idm-018 ~]# ssh -l puser1.qe `hostname` echo 'login successful'
puser1.qe.test's password: 
login successful

[root@vm-idm-018 ~]# id puser1.qe
uid=839001130(puser1.qe) gid=839001130(puser1.qe) groups=839001130(puser1.qe),839000513(domain users.qe),839001120(adgroup1.qe),1148402424(adunigroup1),839001172(adgroup2.qe)
Comment 2 Jakub Hrozek 2015-04-24 14:24:10 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2632
Comment 3 Jakub Hrozek 2015-04-29 09:54:01 UTC 
* master: 3453e4734d2f7738034af61edb7d33c0c7095d8a
* sssd-1-12: 85287a6b897d818d279171a83aa3c8a0de66f13b
Comment 9 Sudhir Menon 2016-02-17 09:04:04 UTC 
Verified using RHEL7.2 IPA Server and RHEL6.8 IPA client

Observation:
On Client group resolve works prior to login. 

===IPA Server===
ipa-server-4.2.0-15.el7_2.3.x86_64
sssd-1.13.0-40.el7_2.1.x86_64

[root@host2 ~]# ipa idoverrideuser-mod 'default trust view'  test1.qe --login=puser1
-----------------------------------------------
Modified an User ID override "test1.qe"
-----------------------------------------------
  Anchor to override: test1.qe
  User login: puser1

[root@host2 ~]# service sssd stop ; rm -f /var/lib/sss/{db,mc}/* ; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@host2 ~]# id test1.qe
uid=10000(puser1.qe) gid=10001(agroup1) groups=10001(agroup1),10000(domain users)

===IPA Client===
ipa-client-3.0.0-50.el6.x86_64
sssd-1.13.3-15.el6.x86_64

[root@r68client ~]# id test2.qe
uid=10001(test2.qe) gid=10001(agroup1) groups=10001(agroup1),10000(domain users)

[root@r68client ~]# ssh -l puser1.qe `hostname` echo 'login successful'
puser1.qe.in's password: 
Could not chdir to home directory /home/chd.pne.qe/test1: No such file or directory
login successful

[root@r68client ~]# id test1.qe
uid=10000(puser1.qe) gid=10001(agroup1) groups=10001(agroup1),10000(domain users)
Comment 11 errata-xmlrpc 2016-05-10 20:22:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html