Bug 1250111

Summary: User lifecycle - preserved users can be assigned membership
Product: Red Hat Enterprise Linux 7 Reporter: Jan Cholasta <jcholast>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: akasurde, ksiddiqu, mbasti, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:04:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
user_del_group_add none

Description Jan Cholasta 2015-08-04 14:23:01 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5170

In user plugin, the preserved users can be assigned membership, even though they are not supposed to work with membership information. Moreover, when a membership is assigned to a preserved user and then the user is activated, the membership information persists for the active entry.

'''Steps to reproduce:'''

'''1. create a group and a user'''

{{{
$ ipa group-add tgroup
$ ipa user-add tuser --first test --last user
}}}

'''2. delete the user with --preserve option'''

{{{
$ ipa user-del tuser --preserve
}}}


'''3. assign membership to the preserved user'''

{{{
$ ipa group-add-member tgroup --users tuser
}}}

Expected result: should not add the user to the group

Actual result: the user is added to the group:

{{{
  Group name: tgroup
  GID: 280206353
-------------------------
Number of members added 1
-------------------------
}}}

Even though results of group-show and user-show command do not list 'tuser' as a member of 'tgroup', the membership was apparently added:

{{{
$ ipa group-show tgroup
  Group name: tgroup
  GID: 280206353

$ ipa user-show tuser
  User login: tuser
  First name: test
  Last name: user
  Home directory: /home/tuser
  Login shell: /bin/sh
  Email address: tuser.lab.eng.brq.redhat.com
  UID: 280206355
  GID: 280206355
  Account disabled: True
  Preserved user: True
  Password: False
  Kerberos keys available: False
}}}

'''4. activate the preserved entry'''

{{{
$ ipa user-undel tuser
}}}

Expected result: user is now active and has only 'ipausers' membership

Actual result: user is active and has 'ipausers' and ''''tgroup'''' membership:
{{{
$ ipa user-show tuser
  User login: tuser
  First name: test
  Last name: user
  Home directory: /home/tuser
  Login shell: /bin/sh
  Email address: tuser.lab.eng.brq.redhat.com
  UID: 280206355
  GID: 280206355
  Account disabled: False
  Password: False
  Member of groups: tgroup, ipausers
  Kerberos keys available: False

$ ipa group-show tgroup
  Group name: tgroup
  GID: 280206353
  Member users: tuser
}}}

'''Note:''' The membership added to the preserved entry can also be removed using 'group-remove-member'
Comment 1 Martin Bašti 2015-08-13 14:43:11 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/391ccabb9f0629b3d172d31cdab9067e4bd4e5dd
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/cd81727d6243de2c613afec6dd0bf9a41c724354
Comment 3 Abhijeet Kasurde 2015-09-14 07:28:30 UTC 
Created attachment 1073088 [details]
user_del_group_add
Comment 4 Abhijeet Kasurde 2015-09-14 08:16:11 UTC 
Verified the fix, marking bug as verified.
Comment 5 errata-xmlrpc 2015-11-19 12:04:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html