Bug 1975327

Summary: Regression: 'usermod -G' fails if user has any remote groups
Product: [Fedora] Fedora Reporter: Michael Catanzaro <mcatanza>
Component: shadow-utilsAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 35CC: ipedrosa, ogutierr, pbrezina, pvrabec, rstrode, sssd-qe, tm
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: shadow-utils-4.8.1-9.fc34 shadow-utils-4.8.1-7.fc33 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1967641 Environment:
Last Closed: 2021-08-16 01:17:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1967641    
Bug Blocks:    

Description Michael Catanzaro 2021-06-23 12:35:31 UTC 
+++ This bug was initially created as a clone of Bug #1967641 +++

Description of problem: Since bug #1727236 was fixed, 'usermod -G' now fails if the user is a member of any remote groups. This breaks accountsservice's org.freedesktop.Accounts.User.SetAccountType method.


Version-Release number of selected component (if applicable): shadow-utils-2:4.6-12.el8


How reproducible: Always


Steps to Reproduce:
1. Somehow add user to remote group (either by enrolling with IPA server or with Active Directory)... this is hard, don't ask me how :)
2. Try to change user's account type from standard to administrator or vice-versa in gnome-control-center. Or do it manually via D-Bus.

Actual results:

$ gdbus call --system --dest org.freedesktop.Accounts --object-path /org/freedesktop/Accounts/User1636600000 --method org.freedesktop.Accounts.User.SetAccountType 1
Error: GDBus.Error:org.freedesktop.Accounts.Error.Failed: running '/usr/sbin/usermod' failed: Child process exited with code 6


Expected results: There should be no error!


Additional info: See https://github.com/shadow-maint/shadow/issues/338 for upstream discussion. The problem is the patch added in bug #1727236 doesn't just prevent adding users to remote groups, it also prevents *not removing* users from remote groups, i.e. it prevents us from keeping remote group membership unchanged. In order to add the user to a new local group, we now have to remove all the user's remote group memberships, since that's the only way to prevent usermod from claiming the groups don't exist.
Comment 1 Fedora Update System 2021-08-09 09:08:01 UTC 
FEDORA-2021-a07b6f0fbb has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a07b6f0fbb
Comment 2 Ben Cotton 2021-08-10 13:41:25 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.
Comment 3 Fedora Update System 2021-08-10 15:46:59 UTC 
FEDORA-2021-a07b6f0fbb has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a07b6f0fbb`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a07b6f0fbb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2021-08-16 01:17:11 UTC 
FEDORA-2021-a07b6f0fbb has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Fedora Update System 2021-08-16 08:39:29 UTC 
FEDORA-2021-da17110288 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-da17110288
Comment 6 Fedora Update System 2021-08-17 01:53:45 UTC 
FEDORA-2021-da17110288 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-da17110288`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-da17110288

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2021-08-31 22:04:32 UTC 
FEDORA-2021-da17110288 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.