Bug 1310664

Summary: [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 23CC: abokovoy, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl, pvoborni, rharwood, sbose, sgoveas, ssorce
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.3-5.fc23 sssd-1.13.3-5.fc22 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1300740 Environment:
Last Closed: 2016-03-02 01:51:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1300740    
Bug Blocks:    

Description Alexander Bokovoy 2016-02-22 13:00:49 UTC 
+++ This bug was initially created as a clone of Bug #1300740 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2522

Handling group memberships of AD users from a trusted domain has a bit of a history. In the original design the group-memberships where taken from the PAC. This meant that group-membership information was only available after a user logged in to a specific host and only on this host. To allow AD users to be members of IPA groups the IPA KDC added SIDs of IPA groups where the AD user is a member of into the PAC for this user.

Over the time there were request to let the 'id' command line utility show the full list of groups even for AD users which are not logged in. Support for this was added recently in SSSD's IPA provider and on the FreeIPA server side. 

If the SSSD cache entry of an IPA group with external member expires SSSD looks up the group members in the IPA LDAP server but since external memberships are not handled as local IPA members (RFC3207bis) the external members are not found and would be removed from the cache. #2492 mitigates this by making sure that members from different domains are not removed from the cache. Nevertheless it would be better to enhance the group lookup code for IPA groups in a way that it can resolve external members on its own.

Since this is IPA specific the changes should be made in the IPA provider to avoid regressions in the common LDAP group lookup code. On the other hand redundant LDAP requests should be avoided. A plugin scheme with a list of additional member attributes and a tevent request to resolve the additional member attributes might be a way to cover both requirements because the additional attributes can be requested in the same LDAP request as the plain RFC2307bis members and changes to the common group lookup code can be kept very localized and will only be executed if the plugin is available.
Comment 1 Alexander Bokovoy 2016-02-22 13:01:46 UTC 
Cloned RHEL7 RFE to Fedora as it is required to backport patches Jakub developed as part of ticket 2522.
Comment 2 Lukas Slebodnik 2016-02-22 13:16:17 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2522
Comment 3 Jakub Hrozek 2016-02-24 13:15:27 UTC 
Upstream patches:
    master:
        3cf7fdfcaedb986f42a6640e26aa057007b64045
        e2d96566aeb881bd89e5c9236d663f6a9a88019a
        c32266e79f9d4bebd0c31eaa8d6fa26050e7fb3e 
    sssd-1-13:
        7db3bdfd6b1b845866c1ff062d25de5804141e89
        00ee45423f0712b83926c6f8b354a1a18ff741c8
        19194cb18a1cc20f02423861dd831aa5bc3a1003
Comment 4 Fedora Update System 2016-02-25 14:36:17 UTC 
sssd-1.13.3-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-d872920f74
Comment 5 Fedora Update System 2016-02-25 14:36:42 UTC 
sssd-1.13.3-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-37a285ae63
Comment 6 Fedora Update System 2016-02-26 20:51:54 UTC 
sssd-1.13.3-5.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-37a285ae63
Comment 7 Fedora Update System 2016-02-26 20:52:53 UTC 
sssd-1.13.3-5.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-d872920f74
Comment 8 Fedora Update System 2016-03-02 01:51:08 UTC 
sssd-1.13.3-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-03-05 22:49:44 UTC 
sssd-1.13.3-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.