Bug 1270827
Summary: | local overrides: don't contact server with overridden name/id | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | dlavu, grajaiya, jgalipea, jhrozek, lmiksik, lslebodn, mkosek, mzidek, pbrezina, preichl, sgoveas |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.13.0-40.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 11:41:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jakub Hrozek
2015-10-12 13:18:57 UTC
During a tmate session, Pavel showed me the simplest steps to reproduce: 0) Connect SSSD with LDAP back end 1) remove caches: # rm -f /var/lib/sss/db/cache_* /var/lib/sss/mc/* 2) service sssd start 3) add override without calling id first: # sss_override user-add $orig_name -n $alias 4) retrieve overriden name: # id $alias With the unpatched packages, the id wouldn't show any supplemental groups (=initgroups will fail). With the patched packages, all supplemental groups will be shown for the overriden name. Yes this is a problem only the primary groups are present in the AD provider as well. Redirecting to /bin/systemctl start sssd.service [root@test db]# sss_override user-add -n dlavu123 dlavu SSSD needs to be restarted for the changes to take effect. [root@test db]# service sssd restart Redirecting to /bin/systemctl restart sssd.service [root@test db]# id dlavu123 uid=768001104(dlavu123) gid=768000513(domain users) groups=768000513(domain users) Fixed upstream: master: 2f793681b4debbe015815f908dc12c0463711609 51a0e3a2ef9186d19cbc28d87fe6fc5d5998a0a7 fb8985a3a3a267940760967beaf8af3979ce91ea sssd-1-13: 2a5c268f66844a65447a814fd48644768238b307 6e3fa032485e8a107d32c6f4978b4dead6118114 329ea3541799d2abb5f0cdb73c24153b9892148b Verified against sssd-1.13.0-40.el7.x86_64 [root@test x86_64]# getent passwd dlavu123 dlavu123:*:768001104:768000513:Dan Lavu:/home/dlavu123:/bin/bash [root@test x86_64]# id dlavu123 uid=768001104(dlavu123) gid=768000513(domain users) groups=768000513(domain users),768000572(denied rodc password replication group),768000518(schema admins),768000519(enterprise admins),768000520(group policy creator owners),768000512(domain admins) All groups are listed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html |