Bug 1746878
Summary: | Let IPA client read IPA objects via LDAP and not via extdom plugin when resolving trusted users and groups | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sumit Bose <sbose> |
Component: | sssd | Assignee: | Sumit Bose <sbose> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.7 | CC: | amore, frenaud, grajaiya, jhrozek, kludhwan, ksiddiqu, lslebodn, mzidek, ndehadra, pbrezina, sgoveas, sorlov, ssidhaye, striker, tscherf |
Target Milestone: | rc | Keywords: | TestCaseProvided |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-1.16.4-31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-31 19:44:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sumit Bose
2019-08-29 12:23:59 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/4073 sssd-1-16: - fbd38903a3c4985e560e6c670ead84597982242e Hi Sumit Please provide steps for reproducing original issue and verifying the fix With given steps in comment # 10 Using older version: sssd-1.16.2-13.el7_6.8.x86_64 Using latest version: sssd-1.16.4-35.el7.x86_64 ---------------------on ipa-server-------------------------------------------------------- [root@master ~]# ipa user-add --first=first --last=last --noprivate --uid=100996 --gidnumber=100996 ipatest24276 ------------------------- Added user "ipatest24276" ------------------------- User login: ipatest24276 First name: first Last name: last Full name: first last Display name: first last Initials: fl Home directory: /home/ipatest24276 GECOS: first last Login shell: /bin/sh Principal name: ipatest24276 Principal alias: ipatest24276 Email address: ipatest24276 UID: 100996 GID: 100996 Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa group-add --gid 100996 ipatest24276 -------------------------- Added group "ipatest24276" -------------------------- Group name: ipatest24276 GID: 100996 [root@master ~]# ipa group-add --external ext-ipatest24276 ------------------------------ Added group "ext-ipatest24276" ------------------------------ Group name: ext-ipatest24276 [root@master ~]# ipa group-add-member --group=ext-ipatest24276 ipatest24276 Group name: ipatest24276 GID: 100996 Member groups: ext-ipatest24276 ------------------------- Number of members added 1 ------------------------- [root@master ~]# ipa group-add-member --external=aduser1 ext-ipatest24276 [member user]: [member group]: Group name: ext-ipatest24276 External member: S-1-5-21-2842256260-195550463-1751006347-1109 Member of groups: ipatest24276 ------------------------- Number of members added 1 ------------------------- [root@master ~]# id ipatest24276 uid=100996(ipatest24276) gid=100996(ipatest24276) groups=100996(ipatest24276) [root@master ~]# getent group ipatest24276 ipatest24276:*:100996:aduser1 [root@master ~]# sss_cache -E [root@master ~]# date; service sssd stop ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; service sssd start Wed Dec 11 05:27:33 EST 2019 Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@master ~]# rpm -qa sssd sssd-1.16.2-13.el7_6.8.x86_64 ---------------------on ipa-client-------------------------------------------------------- [root@client ~]# sss_cache -E [root@client ~]# date; service sssd stop ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; service sssd start Wed Dec 11 05:27:59 EST 2019 Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@client ~]# [root@client ~]# date ; id aduser1 Wed Dec 11 05:28:12 EST 2019 uid=879001109(aduser1) gid=879001109(aduser1) groups=879001109(aduser1),879001115(adunigroup1),879001113(adgroup1),879001114(adgroup2) [root@client ~]# rpm -qa sssd sssd-1.16.2-13.el7_6.8.x86_64 --------------------------------------------------------------------------------------------- On latest version of sssd [root@client ~]# sss_cache -E [root@client ~]# date; service sssd stop ; rm -rf /var/log/sssd/* ; rm -rf /var/lib/sss/db/* ; service sssd start Wed Dec 11 05:11:48 EST 2019 Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@client ~]# [root@client ~]# date ; id aduser1 Wed Dec 11 05:12:10 EST 2019 uid=879001109(aduser1) gid=879001109(aduser1) groups=879001109(aduser1),879001115(adunigroup1),879001113(adgroup1),879001114(adgroup2),100995(ipatest24278),879000513(domain users) [root@client ~]# id aduser1 | grep ipatest uid=879001109(aduser1) gid=879001109(aduser1) groups=879001109(aduser1),879001115(adunigroup1),879001113(adgroup1),879001114(adgroup2),100995(ipatest24278),879000513(domain users) [root@client ~]# [root@client ~]# rpm -qa sssd sssd-1.16.4-35.el7.x86_64 [root@client ~]# The only group is not retrieved from id command for aduser in olderversion of sssd. Hi Sumit, will you clarify the steps are correct. or what is expected user should be retrieved or user with group should be retrieved. Hi, thanks, steps are looking good, you can mark the ticket as Verified. bye, Sumit Btw, the output on the older version might vary depending on cache content and lookup order, important is that the group is missing. bye, Sumit Based on comment # 13 marking bz as verified. *** Bug 1720674 has been marked as a duplicate of this bug. *** Test added upstream in IPA workspace: master: b2ab286 ipatests: User and group with same name should not break reading AD user data. 6018cca Mark test to skip sssd-2.2.2 ipa-4-8: c3053e2 ipatests: User and group with same name should not break reading AD user data. a992263 Mark test to skip sssd-2.2.2 ipa-4-7: 7c452d7 ipatests: User and group with same name should not break reading AD user data. 2ea0a1d Mark test to skip sssd-2.2.0 [sssd/issue/4073] ipa-4-6: 4ca75cf ipatests: User and group with same name should not break reading AD user data. edbf8f7 Mark test to skip sssd-1.16.3 [sssd/issue/4073] Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1053 *** Bug 1907714 has been marked as a duplicate of this bug. *** |