Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1817379

Summary: Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups [rhel-7.7.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: sssdAssignee: Alexey Tikhonov <atikhono>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.7CC: atikhono, bthekkep, dchen, grajaiya, ipa-qe, jhrozek, ksiddiqu, lslebodn, mzidek, ndehadra, pbrezina, sbose, sgoveas, ssidhaye, thalman, tscherf, yoguma, yuriy.halytskyy
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.4-21.el7_7.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1782087 Environment:
Last Closed: 2020-04-30 17:17:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1782087    
Bug Blocks:    

Description RAD team bot copy to z-stream 2020-03-26 09:09:24 UTC 
This bug has been copied from bug #1782087 and has been proposed to be backported to 7.7 z-stream (EUS).
Comment 2 Alexey Tikhonov 2020-03-27 13:40:17 UTC 
* `sssd-1-16`
    * 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member
Comment 5 Sumedh Sidhaye 2020-04-16 14:31:39 UTC 
Reproducer:

Master:

[root@ci-vm-10-0-137-242 ~]# rpm -q ipa-server sssd
ipa-server-4.6.5-11.el7.x86_64
sssd-1.16.4-21.el7.x86_64
[root@ci-vm-10-0-137-242 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 (Maipo)
[root@ci-vm-10-0-137-242 ~]#

Client:


[root@ci-vm-10-0-137-213 ~]# rpm -q ipa-client sssd
ipa-client-4.6.5-11.el7.x86_64
sssd-1.16.4-21.el7.x86_64
[root@ci-vm-10-0-137-213 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 (Maipo)
[root@ci-vm-10-0-137-213 ~]# 


Steps:

[root@ci-vm-10-0-137-242 ~]# kinit admin
Password for admin: 
[root@ci-vm-10-0-137-242 ~]# ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
  Rule name: any_to_any
  User category: all
  Host category: all
  Service category: all
  Enabled: TRUE
[root@ci-vm-10-0-137-242 ~]# ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
  User login: u1
  First name: u
  Last name: 1
  Full name: u 1
  Display name: u 1
  Initials: u1
  Home directory: /home/u1
  GECOS: u 1
  Login shell: /bin/sh
  Principal name: u1
  Principal alias: u1
  Email address: u1
  UID: 1194400001
  GID: 1194400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@ci-vm-10-0-137-242 ~]# ipa passwd u1
New Password: 
Enter New Password again to verify: 
----------------------------------------
Changed password for "u1"
----------------------------------------
[root@ci-vm-10-0-137-242 ~]# ipa group-add a
---------------
Added group "a"
---------------
  Group name: a
  GID: 1194400003
[root@ci-vm-10-0-137-242 ~]# ipa group-add b
---------------
Added group "b"
---------------
  Group name: b
  GID: 1194400004
[root@ci-vm-10-0-137-242 ~]# ipa group-add c
---------------
Added group "c"
---------------
  Group name: c
  GID: 1194400005
[root@ci-vm-10-0-137-242 ~]# ipa group-add-member --groups=a b
  Group name: b
  GID: 1194400004
  Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-242 ~]# ipa group-add-member --groups=b c
  Group name: c
  GID: 1194400005
  Member groups: b
  Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-242 ~]# ipa group-add-member --users=u1 a
  Group name: a
  GID: 1194400003
  Member users: u1
  Member of groups: b
  Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-137-242 ~]# ipa user-show u1 | grep group
  Member of groups: a, ipausers
  Indirect Member of group: b, c
[root@ci-vm-10-0-137-242 ~]# service sssd stop; find /var/lib/sss/ ! -type d -delete; systemctl start sssd
Redirecting to /bin/systemctl stop sssd.service
[root@ci-vm-10-0-137-242 ~]# vim /etc/hosts
[root@ci-vm-10-0-137-242 ~]# ssh -q u1.test groups
Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
[root@ci-vm-10-0-137-242 ~]# ipa group-add-member --users=u1 b
  Group name: b
  GID: 1194400004
  Member users: u1
  Member groups: a
  Member of groups: c
-------------------------
Number of members added 1
-------------------------


On Client:

[root@ci-vm-10-0-137-213 ~]# ssh -q u1.test groups
Password: 
u1 a b c
Could not chdir to home directory /home/u1: No such file or directory


On Server:

[root@ci-vm-10-0-137-242 ~]# ipa group-remove-member --users=u1 b
  Group name: b
  GID: 1194400004
  Member groups: a
  Member of groups: c
  Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------


On Client:

[root@ci-vm-10-0-137-213 ~]# ssh -q u1.test groups
Password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a c


Group "b" is missing


Verification:

On Master:
[root@ci-vm-10-0-139-86 ~]# rpm -q ipa-server ipa-server-dns sssd
ipa-server-4.6.5-11.el7.x86_64
ipa-server-dns-4.6.5-11.el7.noarch
sssd-1.16.4-21.el7_7.4.x86_64

On Client:
[root@ci-vm-10-0-136-90 ~]# rpm -q ipa-client sssd
ipa-client-4.6.5-11.el7.x86_64
sssd-1.16.4-21.el7_7.4.x86_64


[root@ci-vm-10-0-139-86 ~]# kinit admin
Password for admin: 
[root@ci-vm-10-0-139-86 ~]# ipa host-find
---------------
2 hosts matched
---------------
  Host name: client.testrealm.test
  Principal name: host/client.testrealm.test
  Principal alias: host/client.testrealm.test
  SSH public key fingerprint: SHA256:Eeg05xPJ064IA7KqM1kmg4b1BUh8FVa4QMWVuNE1UXk (ssh-rsa), SHA256:Bkj0JI3YOvrfb0CEiy18spw5pgvqvo0hhb+1FnI08LE
                              (ecdsa-sha2-nistp256), SHA256:Lo7gl8ij6mE7EuoFYzq6KKtB5qMXjPtrbcsDq58A1aE (ssh-ed25519)

  Host name: master.testrealm.test
  Principal name: host/master.testrealm.test
  Principal alias: host/master.testrealm.test
  SSH public key fingerprint: SHA256:Eeg05xPJ064IA7KqM1kmg4b1BUh8FVa4QMWVuNE1UXk (ssh-rsa), SHA256:Bkj0JI3YOvrfb0CEiy18spw5pgvqvo0hhb+1FnI08LE
                              (ecdsa-sha2-nistp256), SHA256:Lo7gl8ij6mE7EuoFYzq6KKtB5qMXjPtrbcsDq58A1aE (ssh-ed25519)
----------------------------
Number of entries returned 2
----------------------------
[root@ci-vm-10-0-139-86 ~]# vim test.sh
[root@ci-vm-10-0-139-86 ~]# 
[root@ci-vm-10-0-139-86 ~]# sh -x test.sh 
+ ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
  Rule name: any_to_any
  User category: all
  Host category: all
  Service category: all
  Enabled: TRUE
+ ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
  User login: u1
  First name: u
  Last name: 1
  Full name: u 1
  Display name: u 1
  Initials: u1
  Home directory: /home/u1
  GECOS: u 1
  Login shell: /bin/sh
  Principal name: u1
  Principal alias: u1
  Email address: u1
  UID: 1847400001
  GID: 1847400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
+ ipa passwd u1
New Password: 
Enter New Password again to verify: 
----------------------------------------
Changed password for "u1"
----------------------------------------
+ ipa group-add a
---------------
Added group "a"
---------------
  Group name: a
  GID: 1847400003
+ ipa group-add b
---------------
Added group "b"
---------------
  Group name: b
  GID: 1847400004
+ ipa group-add c
---------------
Added group "c"
---------------
  Group name: c
  GID: 1847400005
+ ipa group-add-member --groups=a b
  Group name: b
  GID: 1847400004
  Member groups: a
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member --groups=b c
  Group name: c
  GID: 1847400005
  Member groups: b
  Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member --users=u1 a
  Group name: a
  GID: 1847400003
  Member users: u1
  Member of groups: b
  Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
+ ipa user-show u1
+ grep group
  Member of groups: a, ipausers
  Indirect Member of group: b, c
[root@ci-vm-10-0-139-86 ~]# service sssd stop; find /var/lib/sss/ ! -type d -delete; service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@ci-vm-10-0-139-86 ~]# ssh -q u1.test groups
[root@ci-vm-10-0-139-86 ~]# ping client.testrealm.test
ping: client.testrealm.test: Name or service not known
[root@ci-vm-10-0-139-86 ~]# vim /etc/hosts
[root@ci-vm-10-0-139-86 ~]# ssh -q u1.test groups
Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c

[root@ci-vm-10-0-139-86 ~]# ipa group-add-member --users=u1 b
  Group name: b
  GID: 1847400004
  Member users: u1
  Member groups: a
  Member of groups: c
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-136-90 ~]# ssh -q u1.test groups
Password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c

on master:

[root@ci-vm-10-0-139-86 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-139-86 ~]# ipa group-remove-member --users=u1 b
  Group name: b
  GID: 1847400004
  Member groups: a
  Member of groups: c
  Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------

on client:
[root@ci-vm-10-0-136-90 ~]# ssh -q u1.test groups
Password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c

Group “b” is present



Scenario from https://bugzilla.redhat.com/show_bug.cgi?id=1782087#c0



[root@ci-vm-10-0-139-86 ~]# sh -x test2.sh 
+ kinit admin
Password for admin: 
+ ipa user-add user1
First name: user
Last name: one
------------------
Added user "user1"
------------------
  User login: user1
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/user1
  GECOS: user one
  Login shell: /bin/sh
  Principal name: user1
  Principal alias: user1
  Email address: user1
  UID: 1847400006
  GID: 1847400006
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
+ ipa group-add child1
--------------------
Added group "child1"
--------------------
  Group name: child1
  GID: 1847400007
+ ipa group-add child2
--------------------
Added group "child2"
--------------------
  Group name: child2
  GID: 1847400008
+ ipa group-add parent
--------------------
Added group "parent"
--------------------
  Group name: parent
  GID: 1847400009
+ ipa group-add-member parent --group child1
  Group name: parent
  GID: 1847400009
  Member groups: child1
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member parent --group child2
  Group name: parent
  GID: 1847400009
  Member groups: child1, child2
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member child1 --user user1
  Group name: child1
  GID: 1847400007
  Member users: user1
  Member of groups: parent
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member child2 --user user1
  Group name: child2
  GID: 1847400008
  Member users: user1
  Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-139-86 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-139-86 ~]# id user1
uid=1847400006(user1) gid=1847400006(user1) groups=1847400006(user1),1847400009(parent),1847400008(child2),1847400007(child1)
[root@ci-vm-10-0-139-86 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-139-86 ~]# getent group parent
parent:*:1847400009:user1
[root@ci-vm-10-0-139-86 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-139-86 ~]# ipa user-show user1
  User login: user1
  First name: user
  Last name: one
  Home directory: /home/user1
  Login shell: /bin/sh
  Principal name: user1
  Principal alias: user1
  Email address: user1
  UID: 1847400006
  GID: 1847400006
  Account disabled: False
  Password: False
  Member of groups: ipausers, child1, child2
  Indirect Member of group: parent
  Kerberos keys available: False
[root@ci-vm-10-0-139-86 ~]# ipa group-remove-member parent --group child1
  Group name: parent
  GID: 1847400009
  Member groups: child2
  Indirect Member users: user1
---------------------------
Number of members removed 1
---------------------------
[root@ci-vm-10-0-139-86 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-139-86 ~]# id user1
uid=1847400006(user1) gid=1847400006(user1) groups=1847400006(user1),1847400007(child1),1847400008(child2),1847400009(parent)       <-------- parent present
[root@ci-vm-10-0-139-86 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-139-86 ~]# getent group parent
parent:*:1847400009:user1                                                        <------------- user1    present
[root@ci-vm-10-0-139-86 ~]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-139-86 ~]# ipa user-show user1
  User login: user1
  First name: user
  Last name: one
  Home directory: /home/user1
  Login shell: /bin/sh
  Principal name: user1
  Principal alias: user1
  Email address: user1
  UID: 1847400006
  GID: 1847400006
  Account disabled: False
  Password: False
  Member of groups: ipausers, child1, child2
  Indirect Member of group: parent                                              <---------------------- parent present
  Kerberos keys available: False
[root@ci-vm-10-0-139-86 ~]# 



Based on above observations verifying the bugzilla
Comment 7 errata-xmlrpc 2020-04-30 17:17:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1990