Bug 1817377
Summary: | Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups [rhel-7.6.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
Component: | sssd | Assignee: | Alexey Tikhonov <atikhono> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.7 | CC: | atikhono, bthekkep, dchen, grajaiya, ipa-qe, jhrozek, ksiddiqu, lslebodn, mzidek, ndehadra, pbrezina, sbose, sgoveas, ssidhaye, thalman, tscherf, yoguma, yuriy.halytskyy |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.16.2-13.el7_6.10 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1782087 | Environment: | |
Last Closed: | 2020-04-14 17:40:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1782087 | ||
Bug Blocks: |
Description
RAD team bot copy to z-stream
2020-03-26 09:08:51 UTC
* `sssd-1-16` * 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member Reproducer: root@master ~]# rpm -q ipa-server sssd ipa-server-4.6.4-2.el7.x86_64 sssd-1.16.2-4.el7.x86_64 [root@master ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) [root@master ~]# root@master ~]# kinit admin Password for admin: [root@master ~]# [root@master ~]# ipa user-add user1 First name: user Last name: one ------------------ Added user "user1" ------------------ User login: user1 First name: user Last name: one Full name: user one Display name: user one Initials: uo Home directory: /home/user1 GECOS: user one Login shell: /bin/sh Principal name: user1 Principal alias: user1 Email address: user1 UID: 1725400001 GID: 1725400001 Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa group-add child1 -------------------- Added group "child1" -------------------- Group name: child1 GID: 1725400003 [root@master ~]# ipa group-add child2 -------------------- Added group "child2" -------------------- Group name: child2 GID: 1725400004 [root@master ~]# ipa group-add parent -------------------- Added group "parent" -------------------- Group name: parent GID: 1725400005 [root@master ~]# ipa group-add-member parent --group child1 Group name: parent GID: 1725400005 Member groups: child1 ------------------------- Number of members added 1 ------------------------- [root@master ~]# ipa group-add-member parent --group child2 Group name: parent GID: 1725400005 Member groups: child1, child2 ------------------------- Number of members added 1 ------------------------- [root@master ~]# ipa group-add-member child1 --user user1 Group name: child1 GID: 1725400003 Member users: user1 Member of groups: parent ------------------------- Number of members added 1 ------------------------- [root@master ~]# ipa group-add-member child2 --user user1 Group name: child2 GID: 1725400004 Member users: user1 Member of groups: parent ------------------------- Number of members added 1 ------------------------- [root@master ~]# sss_ sss_cache sss_ssh_knownhostsproxy sss_ssh_authorizedkeys [root@master ~]# sss_ sss_cache sss_ssh_knownhostsproxy sss_ssh_authorizedkeys [root@master ~]# sss_cache -E; systemctl restart sssd No cache object matched the specified search [root@master ~]# id user1 uid=1725400001(user1) gid=1725400001(user1) groups=1725400001(user1),1725400005(parent),1725400004(child2),1725400003(child1) [root@master ~]# sss_cache -E; systemctl restart sssd [root@master ~]# getent group parent parent:*:1725400005:user1 [root@master ~]# sss_cache -E; systemctl restart sssd [root@master ~]# ipa user-show user1 User login: user1 First name: user Last name: one Home directory: /home/user1 Login shell: /bin/sh Principal name: user1 Principal alias: user1 Email address: user1 UID: 1725400001 GID: 1725400001 Account disabled: False Password: False Member of groups: ipausers, child1, child2 Indirect Member of group: parent Kerberos keys available: False [root@master ~]# ipa group-remove-member parent --group child1 Group name: parent GID: 1725400005 Member groups: child2 Indirect Member users: user1 --------------------------- Number of members removed 1 --------------------------- [root@master ~]# sss_cache -E; systemctl restart sssd (reverse-i-search)`i': kl^Ct [root@master ~]# id user1 uid=1725400001(user1) gid=1725400001(user1) groups=1725400001(user1),1725400003(child1),1725400004(child2) [root@master ~]# sss_cache -E; systemctl restart sssd [root@master ~]# getent group parent parent:*:1725400005: [root@master ~]# sss_cache -E; systemctl restart sssd [root@master ~]# ipa user-show user1 User login: user1 First name: user Last name: one Home directory: /home/user1 Login shell: /bin/sh Principal name: user1 Principal alias: user1 Email address: user1 UID: 1725400001 GID: 1725400001 Account disabled: False Password: False Member of groups: ipausers, child1, child2 Indirect Member of group: parent Kerberos keys available: False [root@master ~]# =============== Verification: =============== [root@ci-vm-10-0-136-90 test]# rpm -q ipa-client sssd ipa-client-4.6.4-10.el7.x86_64 sssd-1.16.2-13.el7_6.10.x86_64 [root@ci-vm-10-0-136-90 test]# ipa host-find --------------- 2 hosts matched --------------- Host name: client.testrealm.test Principal name: host/client.testrealm.test Principal alias: host/client.testrealm.test SSH public key fingerprint: SHA256:uXdvCpgSywvtcYwszWJzZxEltCmCw8yvnzDsQG/BKrU (ssh-rsa), SHA256:8VgY5QD7h+5Rf2ER1UcR0XMi2t92AR8rvxkXZgQQ0I4 (ecdsa-sha2-nistp256), SHA256:r0ZdSDSzxxWEGps2PBZvYbYbGVXmRuN11ln6K65in30 (ssh-ed25519) Host name: master.testrealm.test Principal name: host/master.testrealm.test Principal alias: host/master.testrealm.test SSH public key fingerprint: SHA256:uXdvCpgSywvtcYwszWJzZxEltCmCw8yvnzDsQG/BKrU (ssh-rsa), SHA256:8VgY5QD7h+5Rf2ER1UcR0XMi2t92AR8rvxkXZgQQ0I4 (ecdsa-sha2-nistp256), SHA256:r0ZdSDSzxxWEGps2PBZvYbYbGVXmRuN11ln6K65in30 (ssh-ed25519) ---------------------------- Number of entries returned 2 ---------------------------- [root@ci-vm-10-0-136-90 test]# ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any ---------------------------- Added HBAC rule "any_to_any" ---------------------------- Rule name: any_to_any User category: all Host category: all Service category: all Enabled: TRUE [root@ci-vm-10-0-136-90 test]# ipa user-add --first=u --last=1 u1 --------------- Added user "u1" --------------- User login: u1 First name: u Last name: 1 Full name: u 1 Display name: u 1 Initials: u1 Home directory: /home/u1 GECOS: u 1 Login shell: /bin/sh Principal name: u1 Principal alias: u1 Email address: u1 UID: 744600001 GID: 744600001 Password: False Member of groups: ipausers Kerberos keys available: False [root@ci-vm-10-0-136-90 test]# ipa passwd u1 New Password: Enter New Password again to verify: ---------------------------------------- Changed password for "u1" ---------------------------------------- [root@ci-vm-10-0-136-90 test]# ipa group-add a --------------- Added group "a" --------------- Group name: a GID: 744600003 [root@ci-vm-10-0-136-90 test]# ipa group-add b --------------- Added group "b" --------------- Group name: b GID: 744600004 [root@ci-vm-10-0-136-90 test]# ipa group-add c --------------- Added group "c" --------------- Group name: c GID: 744600005 [root@ci-vm-10-0-136-90 test]# ipa group-add-member --groups=a b Group name: b GID: 744600004 Member groups: a ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-136-90 test]# ipa group-add-member --groups=b c Group name: c GID: 744600005 Member groups: b Indirect Member groups: a ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-136-90 test]# ipa group-add-member --users=u1 a Group name: a GID: 744600003 Member users: u1 Member of groups: b Indirect Member of group: c ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-136-90 test]# ipa user-show u1 | grep group Member of groups: a, ipausers Indirect Member of group: b, c [root@ci-vm-10-0-136-90 test]# service sssd stop Redirecting to /bin/systemctl stop sssd.service [root@ci-vm-10-0-136-90 test]# find /var/lib/sss/ ! -type d -delete [root@ci-vm-10-0-136-90 test]# service sssd start Redirecting to /bin/systemctl start sssd.service [root@ci-vm-10-0-136-90 test]# ssh -q u1.test groups Password: Password expired. Change your password now. Current Password: New password: Retype new password: Could not chdir to home directory /home/u1: No such file or directory u1 a b c [root@ci-vm-10-0-136-90 test]# ipa group-add-member --users=u1 b Group name: b GID: 744600004 Member users: u1 Member groups: a Member of groups: c ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd On Client: [root@ci-vm-10-0-136-16 ~]# rpm -q ipa-client sssd ipa-client-4.6.4-10.el7.x86_64 sssd-1.16.2-13.el7_6.10.x86_64 [root@ci-vm-10-0-136-16 ~]# sss_cache -E; systemctl restart sssd [root@ci-vm-10-0-136-16 ~]# ssh -q u1.test groups Password: Could not chdir to home directory /home/u1: No such file or directory u1 a b c On Server: [root@ci-vm-10-0-136-90 test]# ipa group-remove-member --users=u1 b Group name: b GID: 744600004 Member groups: a Member of groups: c Indirect Member users: u1 --------------------------- Number of members removed 1 --------------------------- On Client: [root@ci-vm-10-0-136-16 ~]# ssh -q u1.test groups Password: u1 a b c Also tested Scenario Mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1782087#c0 [root@ci-vm-10-0-136-90 test]# rpm -q ipa-server sssd ipa-server-4.6.4-10.el7.x86_64 sssd-1.16.2-13.el7_6.10.x86_64 [root@ci-vm-10-0-136-90 test]# [root@ci-vm-10-0-136-90 test]# ipa user-add user1 First name: user Last name: one ------------------ Added user "user1" ------------------ User login: user1 First name: user Last name: one Full name: user one Display name: user one Initials: uo Home directory: /home/user1 GECOS: user one Login shell: /bin/sh Principal name: user1 Principal alias: user1 Email address: user1 UID: 744600006 GID: 744600006 Password: False Member of groups: ipausers Kerberos keys available: False [root@ci-vm-10-0-136-90 test]# ipa group-add child1 -------------------- Added group "child1" -------------------- Group name: child1 GID: 744600007 [root@ci-vm-10-0-136-90 test]# ipa group-add child2 -------------------- Added group "child2" -------------------- Group name: child2 GID: 744600008 [root@ci-vm-10-0-136-90 test]# ipa group-add parent -------------------- Added group "parent" -------------------- Group name: parent GID: 744600009 [root@ci-vm-10-0-136-90 test]# ipa group-add-member parent --group child1 Group name: parent GID: 744600009 Member groups: child1 ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-136-90 test]# ipa group-add-member parent --group child2 Group name: parent GID: 744600009 Member groups: child1, child2 ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-136-90 test]# ipa group-add-member child1 --user user1 Group name: child1 GID: 744600007 Member users: user1 Member of groups: parent ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-136-90 test]# ipa group-add-member child2 --user user1 Group name: child2 GID: 744600008 Member users: user1 Member of groups: parent ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd [root@ci-vm-10-0-136-90 test]# id user1 uid=744600006(user1) gid=744600006(user1) groups=744600006(user1),744600009(parent),744600008(child2),744600007(child1) [root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd [root@ci-vm-10-0-136-90 test]# getent group parent parent:*:744600009:user1 [root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd [root@ci-vm-10-0-136-90 test]# ipa user-show user1 User login: user1 First name: user Last name: one Home directory: /home/user1 Login shell: /bin/sh Principal name: user1 Principal alias: user1 Email address: user1 UID: 744600006 GID: 744600006 Account disabled: False Password: False Member of groups: ipausers, child1, child2 Indirect Member of group: parent Kerberos keys available: False [root@ci-vm-10-0-136-90 test]# ipa group-remove-member parent --group child1 Group name: parent GID: 744600009 Member groups: child2 Indirect Member users: user1 --------------------------- Number of members removed 1 --------------------------- [root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd [root@ci-vm-10-0-136-90 test]# id user1 uid=744600006(user1) gid=744600006(user1) groups=744600006(user1),744600007(child1),744600008(child2),744600009(parent) <--------- parent present [root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd [root@ci-vm-10-0-136-90 test]# getent group parent parent:*:744600009:user1 <------------------- user1 present [root@ci-vm-10-0-136-90 test]# sss_cache -E; systemctl restart sssd [root@ci-vm-10-0-136-90 test]# ipa user-show user1 User login: user1 First name: user Last name: one Home directory: /home/user1 Login shell: /bin/sh Principal name: user1 Principal alias: user1 Email address: user1 UID: 744600006 GID: 744600006 Account disabled: False Password: False Member of groups: ipausers, child1, child2 Indirect Member of group: parent <---------------------- parent present Kerberos keys available: False [root@ci-vm-10-0-136-90 test]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1463 |