Bug 1884281

Summary: Secondary LDAP group go missing from 'id' command
Product: Red Hat Enterprise Linux 8 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: Tomas Halman <thalman>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: dlavu, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, tscherf
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.4.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:03:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1881992    
Bug Blocks:    

Description Alexey Tikhonov 2020-10-01 14:28:44 UTC 
This bug was initially created as a copy of Bug #1859554

I am copying this bug because: to track fix for RHEL8



Description of problem:
Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1

Version-Release number of selected component (if applicable):
sssd-1.16.2-37.el7_8.1.x86_64

How reproducible:
Always on RHEL 7.8

Steps to Reproduce:
1. Configure sssd and point it to LDAP server with 'id_provider = ldap' mode.
2. Run 'id ldapusername' command.
3. Secondary groups would go missing from 'id' output after 25-30 mins.

Actual results:
Secondary groups go missing from 'id' output after 25-30 mins.

Expected results:
Secondary groups should always be visible in 'id' output.

Additional info:
Same SSSD configuration works very well with older version of sssd on RHEL 7.7 (tested with sssd-1.16.4-21.el7.x86_64).
Comment 1 Alexey Tikhonov 2020-10-01 14:38:18 UTC 
PR: https://github.com/SSSD/sssd/pull/5262
Comment 3 Alexey Tikhonov 2020-10-02 10:37:01 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5262

* `master`
    * 88631392e9172ae4fa3e411398516a2f39f0060e - intg: allow member DN to have a different case
    * 50d0d154cedb6915ab321b47c40851c40e91cf41 - ldap: use member DN to create ghost user hash table
    * fe0f1e64e8a77dadde699495c7eb368ce61ac992 - UTIL: Use sss_sanitize_dn where we deal with DN 2
    * 21b9417e14ce35a2548c309642325ac43103d51e - UTIL: Use sss_sanitize_dn where we deal with DN
    * 093061f553ab0a2c316794221e79779fb1bd40d2 - UTIL: DN sanitization
Comment 10 errata-xmlrpc 2021-05-18 15:03:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666