Bug 1304992
Summary: | Handle overriden name of members in the memberUid attribute | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | ||||||||
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | 7.3 | CC: | fsollami, grajaiya, jhrozek, kcleveng, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sssd-maint, sumenon | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | sssd-1.14.0-14.el7 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2016-11-04 07:15:50 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 1366569 | ||||||||||
Bug Blocks: | |||||||||||
Attachments: |
|
Description
Jakub Hrozek
2016-02-05 09:16:16 UTC
Upstream didn't completely fix this bug and since there is no downstream customer case attached, I think it's fine to wait until 7.4 * master: * f2e8a7c3230fac11175c0bd17c14c66a8e9b25ad * 160ba891ec483c5b7d2a3fcca5bd992fc790efe0 * 17bfd9f69251781140e4b2b55ffeb649d7a79e86 * 1594701fbdc341069e11cff9a85e7a795e52db3d Tested using sssd-1.14.0-18.el7.x86_64 ipa-server-4.4.0-7.el7.x86_64 Observations: Although the id command displays the overridden login name , but getent group returns the actual user name e.g test2 instead of test22. Attaching the sssd logs for the test. Verified using the below steps 1. Create trust with windows AD. 2. User test2 is a member of sales group in Windows AD 3. now run id command on ipa-server [root@master sssd]# id test2 uid=558001486(test2) gid=558001486(test2) groups=558001486(test2) [root@master sssd]# getent passwd test2 test2:*:558001486:558001486:test2:/home/pne.qe/test2: [root@master sssd]# ipa idview-find ----------------- 1 ID View matched ----------------- ID View Name: Default Trust View Description: Default Trust View for AD users. Should not be deleted. ---------------------------- Number of entries returned 1 ---------------------------- [root@master sssd]# ipa idoverrideuser-add ID View Name: Default Trust View Anchor to override: test2 ------------------------------------- Added User ID override "test2" ------------------------------------- Anchor to override: test2 [root@master sssd]# ipa idoverrideuser-mod --login=test22 ID View Name: Default trust view Anchor to override: test2 ------------------------------------------- Modified an User ID override "test2" ------------------------------------------- Anchor to override: test2 User login: test22 [root@master sssd]# getent passwd test2 test22:*:558001486:558001486:test2:/home/pne.qe/test2: [root@master sssd]# getent group sales sales:*:558001488:test2 Created attachment 1190268 [details]
sssd log
Created attachment 1190269 [details]
sssd domain log
Created attachment 1190270 [details]
sssd nsss log
Found that the getent group on master/client show different result. Please note that 'service sssd stop ; rm -frv /var/lib/sss/{db,mc}/* ; service sssd start' was run on both master and client machines before running the command. [root@master sssd]# getent group sales sales:*:558001488:test2 [root@client ~]# getent group sales sales:*:558001488:test22 Note: After manually adding sss as lookup in nsswitch.conf file against initgroups, the correct results are shown. ===IPA Server=== [root@ipaserver sssd]# grep initgroups /etc/nsswitch.conf initgroups: files sss [root@ipaserver sssd]# id test2 uid=558001486(test22) gid=558001486(test22) groups=558001486(test22),558000513(domain users),558001488(sales) [root@ipaserver sssd]# getent group sales sales:*:558001488:test22 ===IPA Client=== [root@client ~]# sss_cache -E [root@client ~]# id test2 uid=558001486(test22) gid=558001486(test22) groups=558001486(test22),558000513(domain users),558001488(sales) [root@client ~]# getent group sales sales:*:558001488:test22 (In reply to Sudhir Menon from comment #15) > Note: > After manually adding sss as lookup in nsswitch.conf file against > initgroups, the correct results are shown. > It is not expected to changes nsswitch.conf The line for initgroups is commented out as part of "authconfig --enablesssd --update" ipa-client-install and realmd uses authconfig underneath. So the nsswitch.conf should be properly configured Lukas, You meant to say that the fix is needed in authconfig and we shouldn't be making any changes in /etc/nsswitch.conf, right? (In reply to Sudhir Menon from comment #17) > Lukas, > You meant to say that the fix is needed in authconfig and we shouldn't be > making any changes in /etc/nsswitch.conf, right? You can test authconfig with following steps [root@b29b086114f1 /]# grep initgroups /etc/nsswitch.conf initgroups: files [root@b29b086114f1 /]# authconfig --enablesssd --update [root@b29b086114f1 /]# [root@b29b086114f1 /]# grep initgroups /etc/nsswitch.conf #initgroups: files If result is not the same then it's bug in authconfig. otherwise there is a bug in ipa-{server,client}-install [root@ipaserver sssd]# grep initgroups /etc/nsswitch.conf initgroups: files [root@ipaserver sssd]# authconfig --enablesssd --update [root@ipaserver sssd]# grep initgroups /etc/nsswitch.conf initgroups: files (In reply to Lukas Slebodnik from comment #16) > (In reply to Sudhir Menon from comment #15) > > Note: > > After manually adding sss as lookup in nsswitch.conf file against > > initgroups, the correct results are shown. > > > It is not expected to changes nsswitch.conf > The line for initgroups is commented out as part of "authconfig --enablesssd > --update" > > ipa-client-install and realmd uses authconfig underneath. > So the nsswitch.conf should be properly configured Please see https://bugzilla.redhat.com/show_bug.cgi?id=1366569 Since there is already #bz1366569 to address the issue related to sss entry against initgroups in nsswitch.conf file. Marking the bug Verified as per comment #15. Verified using sssd-1.14.0-18.el7.x86_64 ipa-server-4.4.0-7.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html |