Bug 1514061
Summary: | ID override GID from Default Trust View is not properly resolved in case domain resolution order is set | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> | ||||
Component: | sssd | Assignee: | Fabiano Fidêncio <fidencio> | ||||
Status: | CLOSED ERRATA | QA Contact: | Ganna Kaihorodova <gkaihoro> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.4 | CC: | fidencio, gkaihoro, grajaiya, jhrozek, lslebodn, mkosek, mpanaous, mzidek, ndehadra, pbrezina, sbose, sgoveas, tscherf | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | sssd-1.16.2-1.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-30 10:40:47 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Thorsten Scherf
2017-11-16 15:15:26 UTC
Firstly, thanks for the well explained bug report and for providing a machine where I could dig into the issue. If I understand correctly you explicitly have two groups with the very same gid (732000006), one in each domain (windows.mylab.local and linux.mylab.local). So, when you run `id userad.local` it'll trigger a "Group by ID" request, which will use the first available domain in the request and depending on the domain resolution order you'll end up with 732000006.local and 732000006.local, thus the different results. The cache_req code is doing exactly what's expected from it, looking up in the first found domain. I'd say that the solution would be to avoid having two groups with the very same gid in the different domains. Jakub, would you suggest something different here? (In reply to Fabiano Fidêncio from comment #1) > Firstly, thanks for the well explained bug report and for providing a > machine where I could dig into the issue. > > If I understand correctly you explicitly have two groups with the very same > gid (732000006), one in each domain (windows.mylab.local and > linux.mylab.local). > > So, when you run `id userad.local` it'll trigger a "Group by > ID" request, which will use the first available domain in the request and > depending on the domain resolution order you'll end up with > 732000006.local and 732000006.local, thus the > different results. > > The cache_req code is doing exactly what's expected from it, looking up in > the first found domain. I'd say that the solution would be to avoid having > two groups with the very same gid in the different domains. > > Jakub, would you suggest something different here? Yes, that's also how I would explain this. I think the expectation from the customer might be based on "id" being a seemingly atomic operation which is confined to the windows.mylab.local domain, but in fact, calling 'id' first internally calls getgrouplist() which just returns a list of unqalified GIDs. The GIDs are then translated into names as you said. So I agree it is not a bug. (In reply to Fabiano Fidêncio from comment #1) > If I understand correctly you explicitly have two groups with the very same > gid (732000006), one in each domain (windows.mylab.local and > linux.mylab.local). No. There is only the group 'ad_admins' in the IdM domain that has the gid 732000006. There are no posix attributes used in the AD domain at all. But remember, the ID override from the Default Trust View changes the gid of an AD user ('aduser') to 732000006. Upstream ticket: https://pagure.io/SSSD/sssd/issue/3595 master: cf4f5e0 Created attachment 1477106 [details]
Logs of manual verification
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3158 |