Bug 1215195

Summary: Override for IPA users with login does not list user all groups
Product: Red Hat Enterprise Linux 6 Reporter: Steeve Goveas <sgoveas>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: medium    
Version: 6.7CC: grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.2-1.el6 Doc Type: Bug Fix
Doc Text:
Do not document
 Story Points: ---
Clone Of:
: 1217127 (view as bug list) Environment:
Last Closed: 2016-05-10 20:22:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1217127    

Description Steeve Goveas 2015-04-24 14:30:40 UTC 
Description of problem:
When ipa user override is added with a new login name, id command does not list all its groups

Version-Release number of selected component (if applicable):
[root@vm-idm-018 ~]# rpm -q sssd
sssd-1.12.4-31.el6.x86_64

How reproducible:
always

Steps to Reproduce:

On Server

[root@sideswipe ~]# ipa user-show ipauser1
  User login: ipauser1
  First name: f
  Last name: l
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Email address: ipauser1
  UID: 1902400005
  GID: 1902400005
  Account disabled: False
  Password: True
  Member of groups: grp2, grp1, ipausers
  Kerberos keys available: True

[root@sideswipe ~]# ipa idoverrideuser-add hostview ipauser1 --login useripa1
---------------------------------
Added User ID override "ipauser1"
---------------------------------
  Anchor to override: ipauser1
  User login: useripa1
[root@sideswipe ~]# service sssd stop ; rm -fr /var/lib/sss/{db,mc}/* ; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@sideswipe ~]# ipa idview-apply hostview --hosts vm-idm-018.ipaviews.test--------------------------
Applied ID View "hostview"
--------------------------
  hosts: vm-idm-018.ipaviews.test
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------


* On Client1 where hostview is not applied

[root@ibm-x3250m4-04 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[root@ibm-x3250m4-04 ~]# id ipauser1
uid=1902400005(ipauser1) gid=1902400005(ipauser1) groups=1902400005(ipauser1),1902400007(grp2),1902400006(grp1)


* On Client2 where host view is applied

[root@vm-idm-018 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[root@vm-idm-018 ~]# id useripa1
uid=1902400005(useripa1) gid=1902400005(ipauser1) groups=1902400005(ipauser1)

[root@vm-idm-018 ~]# id useripa1
uid=1902400005(useripa1) gid=1902400005(ipauser1) groups=1902400005(ipauser1)
Comment 2 Jakub Hrozek 2015-04-29 15:43:14 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2642
Comment 3 Jakub Hrozek 2015-05-06 08:55:29 UTC 
    master:
        0f9c28eb52d2b45c8a97f709308dc11377831b8c
        35b178d02dfd293778aefbc0b465a5a3a4b6cd8f 
    sssd-1-12:
        3b00bcd8b6d53d33207005c4e7a631b6a241d300
        a4a447b7bf394ded65c8ae872832e7cd135425d1
Comment 11 Sudhir Menon 2016-02-17 13:31:47 UTC 
Verified using RHEL6.8 Client and RHEL7.2 IPA-Server
Verified using RHEL6.8 Client and RHEL6.8 IPA-Server

ipa-server-3.0.0-50.el6.x86_64
sssd-1.13.3-15.el6.x86_64
ipa-client-3.0.0-50.el6.x86_64

===IPA Server===
[root@host2 ~]# ipa user-show ipauser1
User login: ipauser1
First name: ipauser1
Last name: test
Home directory: /home/ipauser1
Login shell: /bin/sh
Email address: ipauser1
UID: 1824400012
GID: 1824400012
Account disabled: False
Password: False
Member of groups: group1, group2, ipausers
Kerberos keys available: False

[root@host2 ~]# id ipauser1
uid=1824400012(ipauser1) gid=1824400012(ipauser1) groups=1824400012(ipauser1)

===IPA-Client===
[root@r68client ~]# id ipauser1
uid=1824400012(useripa1) gid=1824400012(ipauser1) groups=1824400012(ipauser1),11111(sales),22222(finance)
Comment 12 Sudhir Menon 2016-02-17 13:35:36 UTC 
Groups are IPA Posix groups.

[root@host2 ~]# id ipauser1
uid=1824400012(ipauser1) gid=1824400012(ipauser1) groups=1824400012(ipauser1),11111(sales),22222(finance)

[root@r68client ~]# id ipauser1
uid=1824400012(useripa1) gid=1824400012(ipauser1) groups=1824400012(ipauser1),11111(sales),22222(finance)
Comment 14 errata-xmlrpc 2016-05-10 20:22:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html