Bug 1975329

Summary: Regression: 'usermod -G' fails if user has any remote groups
Product: Red Hat Enterprise Linux 9 Reporter: Michael Catanzaro <mcatanza>
Component: shadow-utilsAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED CURRENTRELEASE QA Contact: Anuj Borah <aborah>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: aborah, ipedrosa, ogutierr, pbrezina, rstrode, sssd-qe
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: shadow-utils-4.9-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1967641 Environment:
Last Closed: 2021-12-07 21:52:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1967641    
Bug Blocks:    

Description Michael Catanzaro 2021-06-23 12:36:20 UTC 
+++ This bug was initially created as a clone of Bug #1967641 +++

Description of problem: Since bug #1727236 was fixed, 'usermod -G' now fails if the user is a member of any remote groups. This breaks accountsservice's org.freedesktop.Accounts.User.SetAccountType method.


Version-Release number of selected component (if applicable): shadow-utils-2:4.6-12.el8


How reproducible: Always


Steps to Reproduce:
1. Somehow add user to remote group (either by enrolling with IPA server or with Active Directory)... this is hard, don't ask me how :)
2. Try to change user's account type from standard to administrator or vice-versa in gnome-control-center. Or do it manually via D-Bus.

Actual results:

$ gdbus call --system --dest org.freedesktop.Accounts --object-path /org/freedesktop/Accounts/User1636600000 --method org.freedesktop.Accounts.User.SetAccountType 1
Error: GDBus.Error:org.freedesktop.Accounts.Error.Failed: running '/usr/sbin/usermod' failed: Child process exited with code 6


Expected results: There should be no error!


Additional info: See https://github.com/shadow-maint/shadow/issues/338 for upstream discussion. The problem is the patch added in bug #1727236 doesn't just prevent adding users to remote groups, it also prevents *not removing* users from remote groups, i.e. it prevents us from keeping remote group membership unchanged. In order to add the user to a new local group, we now have to remove all the user's remote group memberships, since that's the only way to prevent usermod from claiming the groups don't exist.