Bug 1817377
| Summary: | Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups [rhel-7.6.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
| Component: | sssd | Assignee: | Alexey Tikhonov <atikhono> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.7 | CC: | atikhono, bthekkep, dchen, grajaiya, ipa-qe, jhrozek, ksiddiqu, lslebodn, mzidek, ndehadra, pbrezina, sbose, sgoveas, ssidhaye, thalman, tscherf, yoguma, yuriy.halytskyy |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.16.2-13.el7_6.10 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1782087 | Environment: | |
| Last Closed: | 2020-04-14 17:40:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1782087 | ||
| Bug Blocks: | |||
|
Description
RAD team bot copy to z-stream
2020-03-26 09:08:51 UTC
* `sssd-1-16`
* 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member
Reproducer:
root@master ~]# rpm -q ipa-server sssd
ipa-server-4.6.4-2.el7.x86_64
sssd-1.16.2-4.el7.x86_64
[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)
[root@master ~]#
root@master ~]# kinit admin
Password for admin:
[root@master ~]#
[root@master ~]# ipa user-add user1
First name: user
Last name: one
------------------
Added user "user1"
------------------
User login: user1
First name: user
Last name: one
Full name: user one
Display name: user one
Initials: uo
Home directory: /home/user1
GECOS: user one
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1725400001
GID: 1725400001
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# ipa group-add child1
--------------------
Added group "child1"
--------------------
Group name: child1
GID: 1725400003
[root@master ~]# ipa group-add child2
--------------------
Added group "child2"
--------------------
Group name: child2
GID: 1725400004
[root@master ~]# ipa group-add parent
--------------------
Added group "parent"
--------------------
Group name: parent
GID: 1725400005
[root@master ~]# ipa group-add-member parent --group child1
Group name: parent
GID: 1725400005
Member groups: child1
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member parent --group child2
Group name: parent
GID: 1725400005
Member groups: child1, child2
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member child1 --user user1
Group name: child1
GID: 1725400003
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member child2 --user user1
Group name: child2
GID: 1725400004
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@master ~]# sss_
sss_cache sss_ssh_knownhostsproxy
sss_ssh_authorizedkeys
[root@master ~]# sss_
sss_cache sss_ssh_knownhostsproxy
sss_ssh_authorizedkeys
[root@master ~]# sss_cache -E; systemctl restart sssd
No cache object matched the specified search
[root@master ~]# id user1
uid=1725400001(user1) gid=1725400001(user1) groups=1725400001(user1),1725400005(parent),1725400004(child2),1725400003(child1)
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# getent group parent
parent:*:1725400005:user1
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# ipa user-show user1
User login: user1
First name: user
Last name: one
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1725400001
GID: 1725400001
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent
Kerberos keys available: False
[root@master ~]# ipa group-remove-member parent --group child1
Group name: parent
GID: 1725400005
Member groups: child2
Indirect Member users: user1
---------------------------
Number of members removed 1
---------------------------
[root@master ~]# sss_cache -E; systemctl restart sssd
(reverse-i-search)`i': kl^Ct
[root@master ~]# id user1
uid=1725400001(user1) gid=1725400001(user1) groups=1725400001(user1),1725400003(child1),1725400004(child2)
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# getent group parent
parent:*:1725400005:
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# ipa user-show user1
User login: user1
First name: user
Last name: one
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1725400001
GID: 1725400001
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent
Kerberos keys available: False
[root@master ~]#
===============
Verification:
===============
[root@ci-vm-10-0-136-90 test]# rpm -q ipa-client sssd
ipa-client-4.6.4-10.el7.x86_64
sssd-1.16.2-13.el7_6.10.x86_64
[root@ci-vm-10-0-136-90 test]# ipa host-find
---------------
2 hosts matched
---------------
Host name: client.testrealm.test
Principal name: host/client.testrealm.test
Principal alias: host/client.testrealm.test
SSH public key fingerprint: SHA256:uXdvCpgSywvtcYwszWJzZxEltCmCw8yvnzDsQG/BKrU (ssh-rsa), SHA256:8VgY5QD7h+5Rf2ER1UcR0XMi2t92AR8rvxkXZgQQ0I4
(ecdsa-sha2-nistp256), SHA256:r0ZdSDSzxxWEGps2PBZvYbYbGVXmRuN11ln6K65in30 (ssh-ed25519)
Host name: master.testrealm.test
Principal name: host/master.testrealm.test
Principal alias: host/master.testrealm.test
SSH public key fingerprint: SHA256:uXdvCpgSywvtcYwszWJzZxEltCmCw8yvnzDsQG/BKrU (ssh-rsa), SHA256:8VgY5QD7h+5Rf2ER1UcR0XMi2t92AR8rvxkXZgQQ0I4
(ecdsa-sha2-nistp256), SHA256:r0ZdSDSzxxWEGps2PBZvYbYbGVXmRuN11ln6K65in30 (ssh-ed25519)
----------------------------
Number of entries returned 2
----------------------------
[root@ci-vm-10-0-136-90 test]# ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
Rule name: any_to_any
User category: all
Host category: all
Service category: all
Enabled: TRUE
[root@ci-vm-10-0-136-90 test]# ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
User login: u1
First name: u
Last name: 1
Full name: u 1
Display name: u 1
Initials: u1
Home directory: /home/u1
GECOS: u 1
Login shell: /bin/sh
Principal name: u1
Principal alias: u1
Email address: u1
UID: 744600001
GID: 744600001
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@ci-vm-10-0-136-90 test]# ipa passwd u1
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "u1"
----------------------------------------
[root@ci-vm-10-0-136-90 test]# ipa group-add a
---------------
Added group "a"
---------------
Group name: a
GID: 744600003
[root@ci-vm-10-0-136-90 test]# ipa group-add b
---------------
Added group "b"
---------------
Group name: b
GID: 744600004
[root@ci-vm-10-0-136-90 test]# ipa group-add c
---------------
Added group "c"
---------------
Group name: c
GID: 744600005
[root@ci-vm-10-0-136-90 test]# ipa group-add-member --groups=a b
Group name: b
GID: 744600004
Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 test]# ipa group-add-member --groups=b c
Group name: c
GID: 744600005
Member groups: b
Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 test]# ipa group-add-member --users=u1 a
Group name: a
GID: 744600003
Member users: u1
Member of groups: b
Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 test]# ipa user-show u1 | grep group
Member of groups: a, ipausers
Indirect Member of group: b, c
[root@ci-vm-10-0-136-90 test]# service sssd stop
Redirecting to /bin/systemctl stop sssd.service
[root@ci-vm-10-0-136-90 test]# find /var/lib/sss/ ! -type d -delete
[root@ci-vm-10-0-136-90 test]# service sssd start
Redirecting to /bin/systemctl start sssd.service
[root@ci-vm-10-0-136-90 test]# ssh -q u1.test groups
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
[root@ci-vm-10-0-136-90 test]# ipa group-add-member --users=u1 b
Group name: b
GID: 744600004
Member users: u1
Member groups: a
Member of groups: c
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd
On Client:
[root@ci-vm-10-0-136-16 ~]# rpm -q ipa-client sssd
ipa-client-4.6.4-10.el7.x86_64
sssd-1.16.2-13.el7_6.10.x86_64
[root@ci-vm-10-0-136-16 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-16 ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
On Server:
[root@ci-vm-10-0-136-90 test]# ipa group-remove-member --users=u1 b
Group name: b
GID: 744600004
Member groups: a
Member of groups: c
Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------
On Client:
[root@ci-vm-10-0-136-16 ~]# ssh -q u1.test groups
Password:
u1 a b c
Also tested Scenario Mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1782087#c0
[root@ci-vm-10-0-136-90 test]# rpm -q ipa-server sssd
ipa-server-4.6.4-10.el7.x86_64
sssd-1.16.2-13.el7_6.10.x86_64
[root@ci-vm-10-0-136-90 test]#
[root@ci-vm-10-0-136-90 test]# ipa user-add user1
First name: user
Last name: one
------------------
Added user "user1"
------------------
User login: user1
First name: user
Last name: one
Full name: user one
Display name: user one
Initials: uo
Home directory: /home/user1
GECOS: user one
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 744600006
GID: 744600006
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@ci-vm-10-0-136-90 test]# ipa group-add child1
--------------------
Added group "child1"
--------------------
Group name: child1
GID: 744600007
[root@ci-vm-10-0-136-90 test]# ipa group-add child2
--------------------
Added group "child2"
--------------------
Group name: child2
GID: 744600008
[root@ci-vm-10-0-136-90 test]# ipa group-add parent
--------------------
Added group "parent"
--------------------
Group name: parent
GID: 744600009
[root@ci-vm-10-0-136-90 test]# ipa group-add-member parent --group child1
Group name: parent
GID: 744600009
Member groups: child1
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 test]# ipa group-add-member parent --group child2
Group name: parent
GID: 744600009
Member groups: child1, child2
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 test]# ipa group-add-member child1 --user user1
Group name: child1
GID: 744600007
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 test]# ipa group-add-member child2 --user user1
Group name: child2
GID: 744600008
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-90 test]# id user1
uid=744600006(user1) gid=744600006(user1) groups=744600006(user1),744600009(parent),744600008(child2),744600007(child1)
[root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-90 test]# getent group parent
parent:*:744600009:user1
[root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-90 test]# ipa user-show user1
User login: user1
First name: user
Last name: one
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 744600006
GID: 744600006
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent
Kerberos keys available: False
[root@ci-vm-10-0-136-90 test]# ipa group-remove-member parent --group child1
Group name: parent
GID: 744600009
Member groups: child2
Indirect Member users: user1
---------------------------
Number of members removed 1
---------------------------
[root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-90 test]# id user1
uid=744600006(user1) gid=744600006(user1) groups=744600006(user1),744600007(child1),744600008(child2),744600009(parent) <--------- parent present
[root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-90 test]# getent group parent
parent:*:744600009:user1 <------------------- user1 present
[root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-136-90 test]# ipa user-show user1
User login: user1
First name: user
Last name: one
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 744600006
GID: 744600006
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent <---------------------- parent present
Kerberos keys available: False
[root@ci-vm-10-0-136-90 test]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1463 |