Bug 2133854

Summary: [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete
Product: Red Hat Enterprise Linux 9 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: Alexey Tikhonov <atikhono>
Status: VERIFIED --- QA Contact: shridhar <sgadekar>
Severity: low Docs Contact:
Priority: high    
Version: 9.1CC: aboscatt, abroy, alex.wang, awang, bcygan, ccheney, dbelyavs, dongbo.ma, jingyi, jjelen, jscheibe, pasik, pbrezina, sgadekar, tmihinto, tpass, tscherf
Target Milestone: rcKeywords: Improvement, Performance, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.9.1-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2022-10-11 15:23:51 UTC 
Example workflow:
 - SSSD client is enrolled into AD domain (Token-Groups are enabled)
 - `id $user` is executed
 - initgroups() is called for this user
 - during processing of initgroups() sssd_be obtains a list of group SIDs user is a member of, and then partially resolves those groups and adds it to the local cache as "incomplete"
 - as a next step `id` calls getgrnam() for every group in initgroups() list
 - since groups are saved into the cache as "incomplete" (technically - "expired") this again results in LDAP search of this group. But if `ignore_group_members = true` this search doesn't provide any new information. "Incomplete" groups could be used instead.

This is just an example workflow. There are probably other use cases.
Comment 42 Alexey Tikhonov 2023-06-14 19:09:10 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6775
Comment 43 Alexey Tikhonov 2023-06-21 13:25:57 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6775

* `master`
    * 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b - SYSDB: in case (ignore_group_members == true) group is actually complete
* `sssd-2-9`
    * d3c3408e0ef1df13c8c4d7fb6dc394fdb9a0886c - SYSDB: in case (ignore_group_members == true) group is actually complete