Bug 1817374
| Summary: | Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups [rhel-7.3.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
| Component: | sssd | Assignee: | Alexey Tikhonov <atikhono> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.7 | CC: | afarley, atikhono, bthekkep, dchen, grajaiya, ipa-qe, jhrozek, ksiddiqu, lslebodn, mzidek, ndehadra, pbrezina, sbose, sgoveas, ssidhaye, thalman, tscherf, yoguma, yuriy.halytskyy |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.14.0-43.el7_3.20 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1782087 | Environment: | |
| Last Closed: | 2020-04-14 14:52:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1782087 | ||
| Bug Blocks: | |||
|
Description
RAD team bot copy to z-stream
2020-03-26 09:07:08 UTC
* `sssd-1-16`
* 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member
Reproducer:
master:
[root@ci-vm-10-0-137-85 ~]# rpm -q ipa-server sssd
ipa-server-4.4.0-14.el7_3.7.x86_64
sssd-1.14.0-43.el7_3.18.x86_64
[root@ci-vm-10-0-137-85 ~]#
client:
ipa-client.x86_64 0:4.4.0-14.el7_3.7
sssd.x86_64 0:1.14.0-43.el7_3.18
On Master:
[root@ci-vm-10-0-137-85 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin
Valid starting Expires Service principal
2020-04-09T05:19:14 2020-04-10T05:19:11 krbtgt/TESTREALM.TEST
[root@ci-vm-10-0-137-85 ~]# ipa host-find
---------------
2 hosts matched
---------------
Host name: client.testrealm.test
Principal name: host/client.testrealm.test
Principal alias: host/client.testrealm.test
SSH public key fingerprint: 33:2F:90:C0:9F:73:09:EA:E8:AE:3A:97:37:A0:B3:38 (ssh-ed25519), 4A:74:46:FC:A7:0F:8D:E7:05:B4:B5:83:59:45:FA:FD (ssh-
rsa), 3A:5B:72:FD:A5:15:FD:3A:75:15:75:F4:3C:A6:EE:AF (ecdsa-sha2-nistp256)
Host name: master.testrealm.test
Principal name: host/master.testrealm.test
Principal alias: host/master.testrealm.test
SSH public key fingerprint: 33:2F:90:C0:9F:73:09:EA:E8:AE:3A:97:37:A0:B3:38 (ssh-ed25519), 4A:74:46:FC:A7:0F:8D:E7:05:B4:B5:83:59:45:FA:FD (ssh-
rsa), 3A:5B:72:FD:A5:15:FD:3A:75:15:75:F4:3C:A6:EE:AF (ecdsa-sha2-nistp256)
----------------------------
Number of entries returned 2
----------------------------
[root@ci-vm-10-0-137-85 ~]# ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
Rule name: any_to_any
User category: all
Host category: all
Service category: all
Enabled: TRUE
[root@ci-vm-10-0-137-85 ~]# ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
User login: u1
First name: u
Last name: 1
Full name: u 1
Display name: u 1
Initials: u1
Home directory: /home/u1
GECOS: u 1
Login shell: /bin/sh
Principal name: u1
Principal alias: u1
Email address: u1
UID: 566600001
GID: 566600001
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@ci-vm-10-0-137-85 ~]# ipa passwd u1
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "u1"
----------------------------------------
[root@ci-vm-10-0-137-85 ~]# ipa group-add a
---------------
Added group "a"
---------------
Group name: a
GID: 566600003
[root@ci-vm-10-0-137-85 ~]# ipa group-add b
---------------
Added group "b"
---------------
Group name: b
GID: 566600004
[root@ci-vm-10-0-137-85 ~]# ipa group-add c
---------------
Added group "c"
---------------
Group name: c
GID: 566600005
[root@ci-vm-10-0-137-85 ~]# pa group-add-member --groups=a b
bash: pa: command not found
[root@ci-vm-10-0-137-85 ~]# ipa group-add-member --groups=a b
Group name: b
GID: 566600004
Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-85 ~]# ipa group-add-member --groups=b c
Group name: c
GID: 566600005
Member groups: b
Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-85 ~]# ipa group-add-member --users=u1 a
Group name: a
GID: 566600003
Member users: u1
Member of groups: b
Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-85 ~]# sss_cache -E; systemctl restart sssd
No cache object matched the specified search
[root@ci-vm-10-0-137-85 ~]# ipa user-show u1 | grep group
Member of groups: a, ipausers
Indirect Member of group: b, c
[root@ci-vm-10-0-137-85 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl start sssd
[root@ci-vm-10-0-137-85 ~]# ssh -q u1.test groups
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
On Client:
[root@ci-vm-10-0-136-35 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin
Valid starting Expires Service principal
2020-04-09T05:19:38 2020-04-10T05:19:35 krbtgt/TESTREALM.TEST
[root@ci-vm-10-0-136-35 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-35 ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
On master:
[root@ci-vm-10-0-137-85 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-137-85 ~]# ipa group-remove-member --users=u1 b
Group name: b
GID: 566600004
Member groups: a
Member of groups: c
Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------
On Client:
[root@ci-vm-10-0-136-35 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-35 ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a c
Group b is missing
======================
Verification:
master:
[root@ci-vm-10-0-137-106 ~]# rpm -q ipa-server sssd
ipa-server-4.4.0-14.el7_3.7.x86_64
sssd-1.14.0-43.el7_3.20.x86_64
client
[root@ci-vm-10-0-136-89 ~]# rpm -q ipa-client sssd
ipa-client-4.4.0-14.el7_3.7.x86_64
sssd-1.14.0-43.el7_3.20.x86_64
on master:
[root@ci-vm-10-0-137-106 ~]# klist
klist: Credentials cache keyring 'persistent:0:0' not found
[root@ci-vm-10-0-137-106 ~]# kinit admin
Password for admin:
[root@ci-vm-10-0-137-106 ~]# vim test.sh
[root@ci-vm-10-0-137-106 ~]# sh -x test.sh
+ ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
Rule name: any_to_any
User category: all
Host category: all
Service category: all
Enabled: TRUE
+ ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
User login: u1
First name: u
Last name: 1
Full name: u 1
Display name: u 1
Initials: u1
Home directory: /home/u1
GECOS: u 1
Login shell: /bin/sh
Principal name: u1
Principal alias: u1
Email address: u1
UID: 836400001
GID: 836400001
Password: False
Member of groups: ipausers
Kerberos keys available: False
+ ipa passwd u1
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "u1"
----------------------------------------
+ ipa group-add a
---------------
Added group "a"
---------------
Group name: a
GID: 836400003
+ ipa group-add b
---------------
Added group "b"
---------------
Group name: b
GID: 836400004
+ ipa group-add c
---------------
Added group "c"
---------------
Group name: c
GID: 836400005
+ ipa group-add-member --groups=a b
Group name: b
GID: 836400004
Member groups: a
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member --groups=b c
Group name: c
GID: 836400005
Member groups: b
Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member --users=u1 a
Group name: a
GID: 836400003
Member users: u1
Member of groups: b
Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
+ sss_cache -E
No cache object matched the specified search
+ systemctl restart sssd
+ systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Thu 2020-04-09 09:02:52 EDT; 29ms ago
Process: 28599 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
Main PID: 28600 (sssd)
CGroup: /system.slice/sssd.service
├─28600 /usr/sbin/sssd -D -f
├─28601 /usr/libexec/sssd/sssd_be --domain testrealm.test --uid 0 --gid 0 --debug-to-files
├─28603 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
├─28604 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
├─28605 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
├─28606 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
└─28607 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
Apr 09 09:02:52 master.testrealm.test sssd[28600]: Starting up
Apr 09 09:02:52 master.testrealm.test sssd[be[testrealm.test]][28601]: Starting up
Apr 09 09:02:52 master.testrealm.test sssd[ssh][28606]: Starting up
Apr 09 09:02:52 master.testrealm.test sssd[pac][28607]: Starting up
Apr 09 09:02:52 master.testrealm.test sssd[nss][28603]: Starting up
Apr 09 09:02:52 master.testrealm.test sssd[sudo][28604]: Starting up
Apr 09 09:02:52 master.testrealm.test sssd[pam][28605]: Starting up
Apr 09 09:02:52 master.testrealm.test systemd[1]: Started System Security Services Daemon.
Apr 09 09:02:52 master.testrealm.test sssd_be[28601]: GSSAPI client step 1
Apr 09 09:02:52 master.testrealm.test sssd_be[28601]: GSSAPI client step 1
+ ipa user-show u1
+ grep group
Member of groups: a, ipausers
Indirect Member of group: b, c
[root@ci-vm-10-0-137-106 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl start sssd
[root@ci-vm-10-0-137-106 ~]# ssh -q u1.test groups
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
[root@ci-vm-10-0-137-106 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl start sssd
[root@ci-vm-10-0-137-106 ~]# sss_cache -E; systemctl restart sssd
No cache object matched the specified search
[root@ci-vm-10-0-137-106 ~]# ipa group-add-member --users=u1 b
Group name: b
GID: 836400004
Member users: u1
Member groups: a
Member of groups: c
-------------------------
Number of members added 1
-------------------------
on client:
[root@ci-vm-10-0-136-89 ~]# kinit admin
Password for admin:
[root@ci-vm-10-0-136-89 ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
on master:
[root@ci-vm-10-0-137-106 ~]# sss_cache -E; systemctl restart sssd
No cache object matched the specified search
[root@ci-vm-10-0-137-106 ~]# ipa group-remove-member --users=u1 b
Group name: b
GID: 836400004
Member groups: a
Member of groups: c
Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------
on client:
[root@ci-vm-10-0-136-89 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-89 ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
[root@ci-vm-10-0-136-89 ~]#
Group b present
Verification for scenario mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1782087#c0
[root@ci-vm-10-0-137-106 ~]# ipa user-add user1
First name: user
Last name: one
------------------
Added user "user1"
------------------
User login: user1
First name: user
Last name: one
Full name: user one
Display name: user one
Initials: uo
Home directory: /home/user1
GECOS: user one
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 836400006
GID: 836400006
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@ci-vm-10-0-137-106 ~]# ipa group-add child1
--------------------
Added group "child1"
--------------------
Group name: child1
GID: 836400007
[root@ci-vm-10-0-137-106 ~]# ipa group-add child2
--------------------
Added group "child2"
--------------------
Group name: child2
GID: 836400008
[root@ci-vm-10-0-137-106 ~]# ipa group-add parent
--------------------
Added group "parent"
--------------------
Group name: parent
GID: 836400009
[root@ci-vm-10-0-137-106 ~]# ipa group-add-member parent --group child1
Group name: parent
GID: 836400009
Member groups: child1
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-106 ~]# ipa group-add-member parent --group child2
Group name: parent
GID: 836400009
Member groups: child1, child2
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-106 ~]# ipa group-add-member child1 --user user1
Group name: child1
GID: 836400007
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-106 ~]# ipa group-add-member child2 --user user1
Group name: child2
GID: 836400008
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-106 ~]# sss_cache -E; systemctl restart sssd
No cache object matched the specified search
[root@ci-vm-10-0-137-106 ~]# id user1
uid=836400006(user1) gid=836400006(user1) groups=836400006(user1),836400009(parent),836400008(child2),836400007(child1)
[root@ci-vm-10-0-137-106 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-137-106 ~]# getent group parent
parent:*:836400009:user1
[root@ci-vm-10-0-137-106 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-137-106 ~]# ipa user-show user1
User login: user1
First name: user
Last name: one
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 836400006
GID: 836400006
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent
Kerberos keys available: False
[root@ci-vm-10-0-137-106 ~]# ipa group-remove-member parent --group child1
Group name: parent
GID: 836400009
Member groups: child2
Indirect Member users: user1
---------------------------
Number of members removed 1
---------------------------
[root@ci-vm-10-0-137-106 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-137-106 ~]# id user1
uid=836400006(user1) gid=836400006(user1) groups=836400006(user1),836400007(child1),836400008(child2),836400009(parent) <--------- Parent present
[root@ci-vm-10-0-137-106 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-137-106 ~]# getent group parent
parent:*:836400009:user1 <---------------- user1 present
[root@ci-vm-10-0-137-106 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-137-106 ~]# ipa user-show user1
User login: user1
First name: user
Last name: one
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 836400006
GID: 836400006
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent <---------------------- parent present
Kerberos keys available: False
[root@ci-vm-10-0-137-106 ~]#
Based on above observations marking the bugzilla verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1474 |