Bug 1809835

Summary:	RFE: ipa group-add-member: number of failed should also be emphasized
Product:	Red Hat Enterprise Linux 8	Reporter:	Ding-Yi Chen <dchen>
Component:	ipa	Assignee:	Florence Blanc-Renaud <frenaud>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	---	CC:	abokovoy, cheimes, ksiddiqu, mvarun, pasik, rcritten, tscherf, twoerner
Target Milestone:	rc	Keywords:	FutureFeature, TestCaseProvided
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.8.7-1.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1817886 (view as bug list)		Environment:
Last Closed:	2020-11-04 02:50:15 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1817886

Description Ding-Yi Chen 2020-03-04 01:41:27 UTC

Description of problem:

We encountered a case (Bug 1789220) that users trying to add an IPA external group as --external and --groups

While the ipa group-add-member is able to add the group member correctly and reject the incorrect external group membership, yet the output is somewhat misleading:


  Failed members: 
    member user: 
    member group: ex_group: invalid 'trusted domain object': Ambiguous search, user domain was not specified
-------------------------
Number of members added 1
-------------------------


For the untrained eyes, and in a hurry, the attention is on the text between the lines and think all of the actions succeeded. It will be better to put the failed action between the lines as well, like:


-------------------------
Number of members added 1
Number of failed 1
-------------------------


Version-Release number of selected component (if applicable):

ipa-server-4.6.6-9.el7.x86_64


How reproducible:
Always


Steps to Reproduce:
1. 
  ipa group-add ex_group --external
  ipa group-add parent_group
  ipa group-add-member parent_group --external ex_group --groups ex_group



Actual results:
  Group name: parent_group
  GID: 180600059
  Member groups: ex_group
  Failed members: 
    member user: 
    member group: ex_group: invalid 'trusted domain object': Ambiguous search, user domain was not specified
-------------------------
Number of members added 1
-------------------------


Expected results:
  Group name: parent_group
  GID: 180600059
  Member groups: ex_group
  Failed members: 
    member user: 
    member group: ex_group: invalid 'trusted domain object': Ambiguous search, user domain was not specified
-------------------------
Number of members added 1
Number of failed 1
-------------------------


Additional info:
Another approach is using the atomic action (i.e. one-fail -> all fail).

Comment 3 Florence Blanc-Renaud 2020-03-04 07:19:16 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this RFE cannot be kept even as a stretch goal and was moved to RHEL8 for proper evaluation.

Comment 4 Alexander Bokovoy 2020-03-18 15:36:26 UTC

I have added a rejection validator for external members of external groups if they belong to IPA domain in this pull request upstream: https://github.com/freeipa/freeipa/pull/4374 

With this change, the behavior would be following for both users and groups from IPA when they are added to an external group as external members:

-------------------------------------------------------------------------
# ipa group-add-member extgrp --external admin
[member user]: 
[member group]: 
[member service]: 
  Group name: extgrp
  External member: S-1-5-21-3005052257-2375221410-442149667-1361,
                   S-1-5-21-3005052257-2375221410-442149667-1380
  Failed members: 
    member user: 
    member group: admin: invalid 'trusted domain object': Object does not belong to a trusted domain
    member service: 
-------------------------
Number of members added 0
-------------------------
# ipa group-add-member extgrp --external admins
[member user]: 
[member group]: 
[member service]: 
  Group name: extgrp
  External member: S-1-5-21-3005052257-2375221410-442149667-1361,
                   S-1-5-21-3005052257-2375221410-442149667-1380
  Failed members: 
    member user: 
    member group: admins: invalid 'trusted domain object': Object does not belong to a trusted domain
    member service: 
-------------------------
Number of members added 0
-------------------------
----------------------------------------------------------------

Is this enough?

Comment 6 Florence Blanc-Renaud 2020-03-19 12:30:16 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/2997a74abcfdb0ad1c0b5356949e557c3b624d3c

test added upstream in ipatests/test_integration/test_sssd.py::TestSSSDWithAdTrust::test_external_group_member_mismatch

Comment 7 Alexander Bokovoy 2020-03-21 05:35:37 UTC

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/127b8d9cf23bf65aa42e6ee9ed8d7f8628bbac19
ipa-4-7:
https://pagure.io/freeipa/c/5a2f27fe036d61415a128b650d6750e2c2048b4b
ipa-4-6:
https://pagure.io/freeipa/c/c14e385141ea05f2709364b6f0fca844578a7652

Comment 8 Alexander Bokovoy 2020-03-25 07:40:30 UTC

an additional test case fix

Fixed upstream
master:
https://pagure.io/freeipa/c/c1c45df4b25ea2a96a2b5fe59e3d7edf4303c04e

Comment 9 Christian Heimes 2020-03-25 09:37:32 UTC

ipa-4-7:
https://pagure.io/freeipa/c/935c356dace23a60be8a0fba4ac482eeccb95948

Comment 10 Christian Heimes 2020-03-25 09:45:42 UTC

ipa-4-8:
https://pagure.io/freeipa/c/74f36e7c2f7f6d17b56e06b5f05205edb8a286d7

Comment 11 Florence Blanc-Renaud 2020-03-25 19:12:35 UTC

ipa-4-6:
https://pagure.io/freeipa/c/bce50976ca5363e2097171b36a0d9a5df652a988
https://pagure.io/freeipa/c/7b9cdfb2556bd290d5f18b0680a1cf907b4dff0c

Comment 12 Ding-Yi Chen 2020-03-26 11:29:29 UTC

Looks good to me.

Comment 15 Varun Mylaraiah 2020-07-15 10:16:51 UTC

Verified 

ipa-server version: 4.8.7
ipa-server-4.8.7-4.module+el8.3.0+7221+eedbd403.x86_64
sssd-ipa-2.3.0-4.el8.x86_64

Automated test logs of ipatests/test_integration/test_sssd.py
Tested in permissive mode :
http://idm-artifacts.usersys.redhat.com/trigger-test-suite-ext/master/61/trigger/report.html.gz
Known issue: https://bugzilla.redhat.com/show_bug.cgi?id=1845596

==========================================
test_external_group_member_mismatch[ipa]
==========================================
------------------------------ Captured log call -------------------------------
transport.py               415 INFO     STAT /bin/systemctl
transport.py               513 DEBUG    RUN ['ls', '/bin/systemctl']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['systemctl', 'stop', 'sssd']
transport.py               513 DEBUG    RUN ['systemctl', 'stop', 'sssd']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv
transport.py               513 DEBUG    RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv
transport.py               558 DEBUG    removed '/var/lib/sss/db/config.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/sssd.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/cache_implicit_files.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/timestamps_implicit_files.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/cache_testrelm.test.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/timestamps_testrelm.test.ldb'
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['rm', '-fv', '/var/lib/sss/mc/group']
transport.py               513 DEBUG    RUN ['rm', '-fv', '/var/lib/sss/mc/group']
transport.py               558 DEBUG    removed '/var/lib/sss/mc/group'
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['rm', '-fv', '/var/lib/sss/mc/passwd']
transport.py               513 DEBUG    RUN ['rm', '-fv', '/var/lib/sss/mc/passwd']
transport.py               558 DEBUG    removed '/var/lib/sss/mc/passwd'
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['systemctl', 'start', 'sssd']
transport.py               513 DEBUG    RUN ['systemctl', 'start', 'sssd']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kinit', 'admin']
transport.py               513 DEBUG    RUN ['kinit', 'admin']
transport.py               558 DEBUG    Password for admin: 
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', 'group-add', '--external', 'ext-ipatest']
transport.py               513 DEBUG    RUN ['ipa', 'group-add', '--external', 'ext-ipatest']
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG    Added group "ext-ipatest"
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG      Group name: ext-ipatest
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', '-n', 'group-add-member', 'ext-ipatest', '--external', 'user1']
transport.py               513 DEBUG    RUN ['ipa', '-n', 'group-add-member', 'ext-ipatest', '--external', 'user1']
transport.py               558 DEBUG      Group name: ext-ipatest
transport.py               558 DEBUG      Failed members: 
transport.py               558 DEBUG        member user: 
transport.py               558 DEBUG        member group: user1: invalid 'trusted domain object': Ambiguous search, user domain was not specified
transport.py               558 DEBUG        member service: 
transport.py               558 DEBUG        member User ID override: 
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG    Number of members added 0
transport.py               558 DEBUG    -------------------------
transport.py               217 DEBUG    Exit code: 1
host.py                    199 ERROR    stderr: 
transport.py               391 INFO     RUN ['ipa', 'group-del', 'ext-ipatest']
transport.py               513 DEBUG    RUN ['ipa', 'group-del', 'ext-ipatest']
transport.py               558 DEBUG    ---------------------------
transport.py               558 DEBUG    Deleted group "ext-ipatest"
transport.py               558 DEBUG    ---------------------------
transport.py               217 DEBUG    Exit code: 0

=======================================
test_external_group_member_mismatch[ad]
=======================================
------------------------------ Captured log call -------------------------------
transport.py               415 INFO     STAT /bin/systemctl
transport.py               513 DEBUG    RUN ['ls', '/bin/systemctl']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['systemctl', 'stop', 'sssd']
transport.py               513 DEBUG    RUN ['systemctl', 'stop', 'sssd']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv
transport.py               513 DEBUG    RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv
transport.py               558 DEBUG    removed '/var/lib/sss/db/config.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/sssd.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/cache_implicit_files.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/timestamps_implicit_files.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/cache_testrelm.test.ldb'
transport.py               558 DEBUG    removed '/var/lib/sss/db/timestamps_testrelm.test.ldb'
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['rm', '-fv', '/var/lib/sss/mc/group']
transport.py               513 DEBUG    RUN ['rm', '-fv', '/var/lib/sss/mc/group']
transport.py               558 DEBUG    removed '/var/lib/sss/mc/group'
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['rm', '-fv', '/var/lib/sss/mc/passwd']
transport.py               513 DEBUG    RUN ['rm', '-fv', '/var/lib/sss/mc/passwd']
transport.py               558 DEBUG    removed '/var/lib/sss/mc/passwd'
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['systemctl', 'start', 'sssd']
transport.py               513 DEBUG    RUN ['systemctl', 'start', 'sssd']
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['kinit', 'admin']
transport.py               513 DEBUG    RUN ['kinit', 'admin']
transport.py               558 DEBUG    Password for admin: 
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', 'group-add', '--external', 'ext-ipatest']
transport.py               513 DEBUG    RUN ['ipa', 'group-add', '--external', 'ext-ipatest']
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG    Added group "ext-ipatest"
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG      Group name: ext-ipatest
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', '-n', 'group-add-member', 'ext-ipatest', '--external', 'testuser']
transport.py               513 DEBUG    RUN ['ipa', '-n', 'group-add-member', 'ext-ipatest', '--external', 'testuser']
transport.py               558 DEBUG      Group name: ext-ipatest
transport.py               558 DEBUG      External member: S-1-5-21-2850950419-291182510-958869158-1108
transport.py               558 DEBUG    -------------------------
transport.py               558 DEBUG    Number of members added 1
transport.py               558 DEBUG    -------------------------
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa', 'group-del', 'ext-ipatest']
transport.py               513 DEBUG    RUN ['ipa', 'group-del', 'ext-ipatest']
transport.py               558 DEBUG    ---------------------------
transport.py               558 DEBUG    Deleted group "ext-ipatest"
transport.py               558 DEBUG    ---------------------------
transport.py               217 DEBUG    Exit code: 0


Based on the result marking Bugzilla as verified.

Comment 18 errata-xmlrpc 2020-11-04 02:50:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670