Bug 1782087

Summary: Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups
Product: Red Hat Enterprise Linux 7 Reporter: Ding-Yi Chen <dchen>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.7CC: atikhono, bthekkep, dlavu, grajaiya, ipa-qe, jhrozek, ksiddiqu, lslebodn, mzidek, ndehadra, pbrezina, rcritten, sbose, sgoveas, ssidhaye, thalman, tscherf, yoguma, yuriy.halytskyy
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-1.16.5-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1817374 1817375 1817376 1817377 1817379 1817380 (view as bug list) Environment:
Last Closed: 2020-09-29 19:49:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1788833, 1817374, 1817375, 1817376, 1817377, 1817379, 1817380    
Attachments:
Description Flags
test build
none
test automation run none

Description Ding-Yi Chen 2019-12-11 06:39:09 UTC 
Description of problem:

In IPA, there are 3 groups: child1 and child2 are subgroups of parent, like
the following

parent
  |
  +- child1   (user1)
  |
  +- child2   (user1)

user1 is an username, it belongs to both group child1 and child2.


user1 should also belong to parent

# getent group parent
parent:*:12345:user1

# id user1
uid=1234(user1), gid=xxxx(user1), groups=xxxx(user1),xxxx(child1),xxxx(child2),xxxx(parent)

However, after removed child1 from parent, user1 is no longer belong to parent

# getent group parent
parent:*:12345:

# id user1
uid=1234(user1), gid=xxxx(user1), groups=xxxx(user1),xxxx(child1),xxxx(child2)


Version-Release number of selected component (if applicable):
sssd-1.16.4-21.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
0. Setup
   kinit admin
   ipa user-add user1
   ipa group-add child1
   ipa group-add child2
   ipa group-add parent
   ipa group-add-member parent --group child1
   ipa group-add-member parent --group child2
   ipa group-add-member child1 --user user1
   ipa group-add-member child2 --user user1

   # Verifying user1 is belong to parent
   id user1
   getent group parent
   ipa user-show user1

1. Remove child1 from parent
   ipa group-remove-member parent --group child1
2. Check membership for user1

   id user1
   getent group parent
   ipa user-show user1


Actual results:
    id user1: do not have parent
    getent group parent: do not have user1
    ipa user-show user1: have parent


Expected results:
    id user1: have parent
    getent group parent: have user1
    ipa user-show user1: have parent


Additional info:
   sss_cashe -E               does not fix the problem 
   systemctl restart sssd     does not fix the problem

   You need to remove cache file before starting sssd to reload the correct membership:
   systemctl stop sssd; rm -fr /var/lib/sss/db/*; systemctl start sssd
Comment 2 Yuriy Halytskyy 2019-12-19 00:34:12 UTC 
Any updates?
Comment 3 Ding-Yi Chen 2020-01-23 00:29:55 UTC 
Perhaps we can backport the fix in sssd-2.2.0 to RHEL 7


https://pagure.io/SSSD/sssd/c/1f5d139d103328b6e4be7dc8368abdd39a91d3a6.patch

Issue: nested group missing after updates on provider    https://pagure.io/SSSD/sssd/issue/3636
Comment 4 Sumit Bose 2020-01-23 17:17:28 UTC 
(In reply to Ding-Yi Chen from comment #3)
> Perhaps we can backport the fix in sssd-2.2.0 to RHEL 7
> 
> 
> https://pagure.io/SSSD/sssd/c/1f5d139d103328b6e4be7dc8368abdd39a91d3a6.patch
> 
> Issue: nested group missing after updates on provider   
> https://pagure.io/SSSD/sssd/issue/3636

Hi,

thanks for the hint, shall I create a test-build for RHEL-7.7 with the backported fix to see if this fixes the issue for you/your customer?

bye,
Sumit
Comment 5 Ding-Yi Chen 2020-01-29 23:45:43 UTC 
(In reply to Sumit Bose from comment #4)
> (In reply to Ding-Yi Chen from comment #3)
> > Perhaps we can backport the fix in sssd-2.2.0 to RHEL 7
> > 
> > 
> > https://pagure.io/SSSD/sssd/c/1f5d139d103328b6e4be7dc8368abdd39a91d3a6.patch
> > 
> > Issue: nested group missing after updates on provider   
> > https://pagure.io/SSSD/sssd/issue/3636
> 
> Hi,
> 
> thanks for the hint, shall I create a test-build for RHEL-7.7 with the
> backported fix to see if this fixes the issue for you/your customer?
> 
> bye,
> Sumit

Yes please
Comment 6 Sumit Bose 2020-01-30 12:08:10 UTC 
Created attachment 1656482 [details]
test build

Hi,

please find attached a tar ball with a test build of SSSD including the patch you've mentioned earlier.

bye,
Sumit
Comment 7 Ding-Yi Chen 2020-02-03 06:25:12 UTC 
The test-build fixes my reproducer.

Thanks Sumit.
Comment 13 Pavel Březina 2020-03-04 09:48:44 UTC 
* `sssd-1-16`
    * 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member
Comment 14 Pavel Březina 2020-03-16 15:31:01 UTC 
*** Bug 1789220 has been marked as a duplicate of this bug. ***
Comment 25 Kaleem 2020-03-26 07:32:47 UTC 
Removing the needinfo on me as Sumedh taking care of it.
Comment 47 Sumedh Sidhaye 2020-06-16 06:49:35 UTC 
ipa-group-cli regression run passing :

http://idm-artifacts.usersys.redhat.com/ipa-prod-tier1/RHEL7.9/17/ipa-group-cli/
Comment 48 Sumedh Sidhaye 2020-06-16 11:49:23 UTC 
Created attachment 1697603 [details]
test automation run

test automation run junit
Comment 49 Sumedh Sidhaye 2020-06-16 12:01:39 UTC 
[root@ci-vm-10-0-139-68 freeipa]# ipa-run-tests test_integration/test_sssd.py::TestNestedMembers --junit-xml=/tmp/test_sssd.xml 
============================================================== test session starts ===============================================================
platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.4, pluggy-0.6.0
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: sourceorder-0.5, multihost-3.0
collected 1 item                                                                                                                                 

test_integration/test_sssd.py .                                                                                                            [100%]

----------------------------------------------------- generated xml file: /tmp/test_sssd.xml -----------------------------------------------------
=========================================================== 1 passed in 428.15 seconds ===========================================================


master:
[root@ci-vm-10-0-138-47 ~]# rpm -q ipa-server ipa-server-dns sssd
ipa-server-4.6.8-4.el7.x86_64
ipa-server-dns-4.6.8-4.el7.noarch
sssd-1.16.5-10.el7.x86_64

client:
[root@ci-vm-10-0-139-166 ~]# rpm -q ipa-client sssd
ipa-client-4.6.8-4.el7.x86_64
sssd-1.16.5-10.el7.x86_64
Comment 51 errata-xmlrpc 2020-09-29 19:49:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3904