Bug 1214719

Summary: Group resolution is inconsistent with group overrides
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: grajaiya, jgalipea, jhrozek, kbanerje, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, sbose, sgoveas, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.0-0.1.alpha.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1213947 Environment:
Last Closed: 2015-11-19 11:38:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1213947    
Bug Blocks:    
Attachments:
Description Flags
Verification Steps none

Comment 1 Jakub Hrozek 2015-04-24 14:28:14 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2633
Comment 2 Jakub Hrozek 2015-05-06 04:01:57 UTC 
Fixed upstream:
    master:
        2263c6dd1242c92253240f4998c86a04b6a0ca3a
        145578006684481434ced78461ab8d1c3570f478
        cffe3135f29c737f2598f3c1384bfba1694fb843
        e87badc0f6fb20a443cf12bde9582ecbc2aef727 
    sssd-1-12:
        eaf656843831d579f30f94154d88aba2201c1712
        58a19d50888b1a7da0ee78b49e7d3dcbebc8614d
        f643fadbd072a9d3725f5f750340d5b13628ce6a
        24905d4ecbf210687e385449448f5a5ec97d2833
Comment 4 Sudhir Menon 2015-10-01 07:15:20 UTC 
Jakub,

Can you please confirm the below observations look good with respect to the fix.

Observations:
Running getent for the group on an empty cache applies the override but id for the user resolves all group memberships.

1. [root@ipa01 ~]# ipa idoverridegroup-add 'default trust view' adgroup1
------------------------------------------
Added Group ID override "adgroup1"
------------------------------------------
Anchor to override: adgroup1

2. [root@ipa01 ~]# ipa idoverridegroup-add 'default trust view' adgroup1.in
-----------------------------------------------
Added Group ID override "adgroup1.in"
-----------------------------------------------
Anchor to override: adgroup1.in

3. [root@ipa01 ~]# ipa idoverridegroup-find 'default trust view'
----------------------------
2 Group ID overrides matched
----------------------------
Anchor to override: adgroup1.in
Anchor to override: adgroup1
----------------------------
Number of entries returned 2
----------------------------

4. [root@ipa01 ~]# ipa idoverrideuser-mod 'default trust view' aduser1.in --shell=/bin/bash --home=/home/aduser1
---------------------------------------------------
Modified an User ID override "aduser1.in"
---------------------------------------------------
Anchor to override: aduser1.in
Home directory: /home/aduser1
Login shell: /bin/bash

5. [root@ipa01 ~]# ipa idoverrideuser-add 'default trust view' aduser2.in --home=/home/aduser2 --uid=5555
---------------------------------------------
Added User ID override "aduser2.in"
---------------------------------------------
Anchor to override: aduser2.in
UID: 5555
Home directory: /home/aduser2

6. [root@ipaclient02 ~]# id aduser1.in
uid=10002(aduser1.in) gid=111112(adgroup1.in) groups=111112(adgroup1.in)

7. [root@ipaclient02 ~]# id aduser1.in
uid=10002(aduser1.in) gid=111112(adgroup1.in) groups=111112(adgroup1.in)

8. [root@ipaclient02 ~]# getent group adgroup1.in
adgroup1.in:*:111112:aduser1.in,aduser2.in
[root@ipaclient02 ~]# getent group adgroup1
adgroup1:*:30014:

9. service sssd restart

10. [root@ipaclient02 ~]# getent group adgroup1.in
adgroup1.in:*:111112:aduser1.in,aduser2.in

[root@ipaclient02 ~]# id aduser1.in
uid=10002(aduser1.in) gid=111112(adgroup1.in) groups=111112(adgroup1.in)

[root@ipaclient02 ~]# getent group adgroup1
adgroup1:*:30014:
Comment 5 Jakub Hrozek 2015-10-01 08:17:26 UTC 
Override question -> redirecting needinfo to Sumit
Comment 6 Sumit Bose 2015-10-01 08:42:37 UTC 
In step 1 and2 you create new override objects but do not specific and values to override, in the original report the GID is overridden with a new one.

The idea is that both 'getent group' and 'id' will always show the override value instead of the original GID independent of the state of the cache.
Comment 7 Sudhir Menon 2015-10-14 10:24:48 UTC 
Created attachment 1082776 [details]
Verification Steps
Comment 8 Sudhir Menon 2015-10-14 10:25:43 UTC 
Verified using RHEL 7.2 and Windows 2008

sssd-1.13.0-39.el7.x86_64
ipa-server-trust-ad-4.2.0-13.el7.x86_64
ipa-server-dns-4.2.0-13.el7.x86_64
ipa-server-4.2.0-13.el7.x86_64
Comment 9 errata-xmlrpc 2015-11-19 11:38:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html