Bug 1765246
| Summary: | Impossible to enforce GID on the AD's "domain users" group in the IPA-AD trust setup | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ming Davies <minyu> |
| Component: | sssd | Assignee: | Pavel Březina <pbrezina> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.7 | CC: | amore, atikhono, bthekkep, cprocter, grajaiya, jhrozek, lslebodn, mpanaous, mzidek, pbrezina, sgoveas, sorlov, thalman, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-1.16.5-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-29 19:49:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ming Davies
2019-10-24 15:34:52 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/4124 The problem is that Domain Users is also user's primary group (primaryGroupID attribute is 513). This is then converted to linux gid (= 130800513) in sdap_get_idmap_primary_gid() during sdap_save_user() and return as user's primary group in nss_protocol_fill_initgr(). Obviously, we should return overriden value (= 40000000) instead of original value (= 130800513). Upstream PR: https://github.com/SSSD/sssd/pull/954 master: 03bc962 sssd-1-16 80e6f71 Hello, Apologies for late reply. ||Do you still need RHEL8 scratch-build? If so please provide sssd package version customer is currently using. --> Scratch built is not required. Customer is keeping track of bugzilla #1649464 Thanks, Bijesh T. ************************************************************************************* Reproduced Using comment #0 and comment #20 : sssd-1.16.4-21.el7_7.3.x86_64 ipa-server-4.6.5-11.el7_7.4.x86_64 ************************************************************************************* [root@master ~]# rm -rf /var/lib/sss/{db,mc}/* ; systemctl restart sssd ; date Mon Jun 22 09:11:28 EDT 2020 [root@master ~]# id testuser uid=1864601108(testuser) gid=1864601108(testuser) groups=1864601108(testuser),1864600513(domain users),1864601111(testgroup) [root@master ~]# date Mon Jun 22 09:11:38 EDT 2020 [root@master ~]# [root@master ~]# ipa idoverridegroup-add 'Default Trust View' "domain users" --gid=4000076 ---------------------------------------------- Added Group ID override "domain users" ---------------------------------------------- Anchor to override: domain users GID: 4000076 [root@master ~]# rm -rf /var/lib/sss/{db,mc}/* ; systemctl restart sssd ; date Mon Jun 22 09:12:41 EDT 2020 [root@master ~]# id testuser ; date uid=1864601108(testuser) gid=1864601108(testuser) groups=1864601108(testuser),4000076(domain users),1864601111(testgroup),1864600513 Mon Jun 22 09:12:48 EDT 2020 ******************************************************* [root@client ~]# rm -rf /var/lib/sss/{db,mc}/* ; systemctl restart sssd; date Mon Jun 22 09:11:48 EDT 2020 [root@client ~]# id testuser ; date uid=1864601108(testuser) gid=1864601108(testuser) groups=1864601108(testuser),1864601111(testgroup),1864600513(domain users) Mon Jun 22 09:11:54 EDT 2020 [root@client ~]# rm -rf /var/lib/sss/{db,mc}/* ; systemctl restart sssd; date Mon Jun 22 09:13:00 EDT 2020 [root@client ~]# id testuser ; date id: testuser: no such user Mon Jun 22 09:13:05 EDT 2020 ************************************************************************************* Verified using version: sssd-1.16.5-10.el7.x86_64 ipa-client-4.6.8-5.el7.x86_64 ************************************************************************************ [root@master ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start; date Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service Mon Jun 22 09:32:24 EDT 2020 [root@master ~]# id testuser ; date uid=360801108(testuser) gid=360801108(testuser) groups=360801108(testuser),360800513(domain users),360801111(testgroup) Mon Jun 22 09:32:30 EDT 2020 [root@master ~]# [root@master ~]# ipa idoverridegroup-add 'Default Trust View' "domain users" --gid=4000079 ---------------------------------------------- Added Group ID override "domain users" ---------------------------------------------- Anchor to override: domain users GID: 4000079 [root@master ~]# rm -rf /var/lib/sss/{db,mc}/* ; systemctl restart sssd ; date Mon Jun 22 09:33:27 EDT 2020 [root@master ~]# id testuser ; date uid=360801108(testuser) gid=360801108(testuser) groups=360801108(testuser),4000079(domain users),360801111(testgroup) Mon Jun 22 09:33:31 EDT 2020 *********************************************** [root@client ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start; date Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service Mon Jun 22 09:33:04 EDT 2020 [root@client ~]# id testuser ; date uid=360801108(testuser) gid=360801108(testuser) groups=360801108(testuser),360801111(testgroup),360800513(domain users) Mon Jun 22 09:33:12 EDT 2020 [root@client ~]# [root@client ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start; date Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service Mon Jun 22 09:34:23 EDT 2020 [root@client ~]# id testuser ; date uid=360801108(testuser) gid=360801108(testuser) groups=360801108(testuser),360801111(testgroup),4000079(domain users) Mon Jun 22 09:34:28 EDT 2020 In fixed version only gid from idview is listed. Based on this marking bz as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3904 |