Bug 1311569
| Summary: | [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | ekeck, enewland, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mniranja, mzidek, nsoman, orion, pbrezina, preichl, pvoborni, sumenon |
| Target Milestone: | rc | Keywords: | FutureFeature, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.13.0-40.el7_2.2 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, when an Active Directory (AD) user or group was added to an Identity Management (IdM) group using an external IdM group, IdM was unable to resolve the AD user or group before they logged into IdM. With this update, IdM retrieves AD users and groups during group lookups as expected. Additionally, AD members of IdM groups are now successfully resolved.
Note that this update allows the slapi-nis Directory Server (DS) plug-in to populate AD group members of IdM groups in the compatibility tree, thus enabling functionality such as group-based sudo rules assignment on legacy clients.
|
Story Points: | --- |
| Clone Of: | 1300740 | Environment: | |
| Last Closed: | 2016-03-31 20:49:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1300740 | ||
| Bug Blocks: | |||
|
Description
Jan Kurik
2016-02-24 13:31:27 UTC
Verified using ipa-server-4.2.0-15.el7_2.10.x86_64 sssd-1.13.0-40.el7_2.2.x86_64 [root@host2 ~]# ipa group-add test ------------------ Added group "test" ------------------ Group name: test GID: 1539600006 [root@host2 ~]# ipa group-add --desc='external group' ext_grp --external --------------------- Added group "ext_grp" --------------------- Group name: ext_grp Description: external group [root@host2 ~]# ipa group-add-member ext_grp --external "PNE.QE\group1" [member user]: [member group]: Group name: ext_grp Description: external group External member: S-1-5-21-2828791737-1866347024-3967946728-1739 ------------------------- Number of members added 1 ------------------------- [root@host2 ~]# ipa group-add-member test [member user]: [member group]: ext_grp Group name: test GID: 1539600006 Member groups: ext_grp ------------------------- Number of members added 1 [root@host2 ~]# id user1 uid=760201737(user1) gid=760201737(user1) groups=760201737(user1),760200513(domain users),760201739(group1),1539600006(test) <--- [root@host2 ~]# id user2 uid=760201738(user2) gid=760201738(user2) groups=760201738(user2),760200513(domain users),760201739(group1),1539600006(test) <--- [root@host2 ~]# getent group group1 group1:*:760201739:user1,user2 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0552.html |