Bug 1263587

Summary:	sss_override --name doesn't work with RFC2307 and ghost users
Product:	Red Hat Enterprise Linux 7	Reporter:	Jakub Hrozek <jhrozek>
Component:	sssd	Assignee:	Pavel Březina <pbrezina>
Status:	CLOSED ERRATA	QA Contact:	Kaushik Banerjee <kbanerje>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.0	CC:	apeetham, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl, sgoveas, tlavigne
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	sssd-1.13.0-29.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-11-19 11:40:33 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2015-09-16 08:58:20 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2790

I found out that we have issues when we override name in RFC2307 schema:
{{{
    jhrozek@hendrix ~ » sudo sss_cache -U                                                                                                                                                                          1 ↵
    [sudo] password for jhrozek:
    jhrozek@hendrix ~ » id user
    uid=12555(user) gid=12555(user) groups=12555(user),5801(secondary)
    jhrozek@hendrix ~ » sudo sss_cache -U
    jhrozek@hendrix ~ » sudo sss_override --help
    sudo: sss_override: command not found
    jhrozek@hendrix ~ » sudo sss_override --help                                                                                                                                                                   1 ↵
    sudo: sss_override: command not found
    jhrozek@hendrix ~ » sudo sss_override --help                                                                                                                                                                   1 ↵
    ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
    Usage:
    sss_override COMMAND COMMAND-ARGS
     
    Available commands:
    * user-add
    * user-del
    * user-import
    * user-export
    * group-add
    * group-del
    * group-import
    * group-export
     
    Common options:
      --debug=INT            Enable debug at level
    jhrozek@hendrix ~ » sudo sss_cache -U                                                                                                                                                                          1 ↵
    ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
    jhrozek@hendrix ~ » id user                    
    uid=12555(user) gid=12555(user) groups=12555(user),5801(secondary)
    jhrozek@hendrix ~ » sudo sss_override user-add --help
    ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
    Usage: sss_override user-add NAME [OPTIONS...]
      -n, --name=STRING      Override name
      -u, --uid=INT          Override uid (non-zero value)
      -g, --gid=INT          Override gid (non-zero value)
      -h, --home=STRING      Override home directory
      -s, --shell=STRING     Override shell
      -c, --gecos=STRING     Override gecos
     
    Help options:
      -?, --help             Show this help message
          --usage            Display brief usage message
    jhrozek@hendrix ~ » sudo sss_override user-add --name=big_boss user
    ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
    SSSD needs to be restarted for the changes to take effect.
    jhrozek@hendrix ~ » sudo systemctl restart sssd
    Warning: sssd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
    jhrozek@hendrix ~ » sudo sss_cache -U                            
    ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
    jhrozek@hendrix ~ » id user                                        
    uid=12555(big_boss) gid=12555(user) groups=12555(user),5801
    jhrozek@hendrix ~ » id big_boss
    uid=12555(big_boss) gid=12555(user) groups=12555(user),5801
    jhrozek@hendrix ~ »
}}}

The secondary group doesn't resolve anymore.

Comment 1 Jakub Hrozek 2015-09-18 11:30:41 UTC

Fixed upstream:
    * 87e0dcaff945f8b8f30030309e16ba26935fcb7b
    * d5e26a3ec3fa1f217f0afd045a03b29d4f88fe1d
    * 9571c9ba5ee7f8aad24e9dec6c44ce21688fa044

Comment 3 Amith 2015-10-01 09:23:54 UTC

Verified the bug on SSSD Version: sssd-1.13.0-36.el7.x86_64

Steps followed during verification:

1. Create a rfc2307 user with a primary and secondary group.

2. Run the following commands and look for possible errors:

# id rfcUser
uid=2307(rfcUser) gid=2307(rfcGrp) groups=2307(rfcGrp),2308(secGrp)

# sss_override user-add --help
Usage: sss_override user-add NAME [OPTIONS...]
  -n, --name=STRING      Override name
  -u, --uid=INT          Override uid (non-zero value)
  -g, --gid=INT          Override gid (non-zero value)
  -h, --home=STRING      Override home directory
  -s, --shell=STRING     Override shell
  -c, --gecos=STRING     Override gecos

Help options:
  -?, --help             Show this help message
  --usage                Display brief usage message


# sss_override user-add rfcUser --name=big_boss
SSSD needs to be restarted for the changes to take effect.

# systemctl restart sssd

# sss_cache -U

3. Verify whether secondary group gets resolved OR not.

# id rfcUser
uid=2307(big_boss) gid=2307(rfcGrp) groups=2307(rfcGrp),2308(secGrp)

# id big_boss
uid=2307(big_boss) gid=2307(rfcGrp) groups=2307(rfcGrp),2308(secGrp)

# sss_override user-del rfcUser

# id rfcUser
uid=2307(big_boss) gid=2307(rfcGrp) groups=2307(rfcGrp),2308(secGrp)

# systemctl restart sssd

# id rfcUser
uid=2307(rfcUser) gid=2307(rfcGrp) groups=2307(rfcGrp),2308(secGrp)

# id big_boss
id: big_boss: no such user

Result: With the latest build, secondary group gets resolved and bug is fixed.

Comment 4 errata-xmlrpc 2015-11-19 11:40:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html