Bug 2017869

Summary: Over time a user looses group membership to 'Domain Users' group
Product: Red Hat Enterprise Linux 8 Reporter: Chetan Patil <cpatil>
Component: sssdAssignee: Sumit Bose <sbose>
Status: NEW --- QA Contact: sssd-qe
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.4CC: aboscatt, atikhono, Colin.Simpson, dannys, grajaiya, lslebodn, mzidek, pbrezina, pkulkarn, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: atikhono: needinfo? (pkulkarn)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chetan Patil 2021-10-27 15:23:24 UTC 
Description of problem:

Over time a user might loose it's group membership to the 'Domain Users' group. You're using UIDs and GIDs stored in AD which typically means that the gIDNumber LDAP attribute of the user in AD is not pointing to the 'Domain Users' group but to a different one.


So the user has a primary group in the POSIX sense (gIDNumber) and a primary group in the AD sense (typically 'Domain Users'). Typically SSSD tries to makes the primary AD group ('Domain Users') a secondary group to not loose this group membership. It looks like this initially works, but when later on the 'Domain Users' group is lookup up the user gets removed because (as explained above) the users are not listed as members of the 'Domain Users' group.


 In other cases SSSD stores the primary AD group in a special attribute of the user so that it cannot get lost, but it looks in this case (UID and GID stored in AD) this does not work as expected.





Version-Release number of selected component (if applicable):

sssd-2.4.0-9.el8_4.2.x86_64