Bug 2222810

Summary: Cannot override gid of private user group
Product: Red Hat Enterprise Linux 9 Reporter: Tomasz Kepczynski <tomek>
Component: sssdAssignee: Tomas Halman <thalman>
Status: NEW --- QA Contact: sssd-qe
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: aboscatt, allopez, pbrezina, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomasz Kepczynski 2023-07-13 19:18:42 UTC 
Description of problem:
Cannot map overridden primary group id of the user with private user group back to group name.

Version-Release number of selected component (if applicable):
ipa-client-common-4.10.1-7.el9_2.noarch
ipa-selinux-4.10.1-7.el9_2.noarch
ipa-common-4.10.1-7.el9_2.noarch
ipa-client-4.10.1-7.el9_2.x86_64

How reproducible:
Always

Steps to Reproduce:

Create user override for a system which needs it:

vesemir:~> ipa idview-add TEST
--------------------
Added ID View "TEST"
--------------------
  ID View Name: TEST
vesemir:~> ipa idoverrideuser-add TEST tomek --uid=18519 --gidnumber=18519
------------------------------
Added User ID override "tomek"
------------------------------
  Anchor to override: tomek
  UID: 18519
  GID: 18519
vesemir:~> ipa idview-apply TEST --hosts=paulie
----------------------
Applied ID View "TEST"
----------------------
  hosts: paulie
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

Give some time to propagate the change to all replicas.
Clean sssd cache on paulie and restart it.

Now ssh to paulie:

vesemir:~> ssh paulie.XXXXX.org 
Last login: Thu Jul 13 21:01:26 2023 from 2a0X:XXXX:XXXX:3000:94cb:2ef5:6321:e82f
[tomek@paulie ~]$ id
uid=18519(tomek) gid=18519 grupy=18519,20000000 kontekst=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[tomek@paulie ~]$ getent passwd tomek
tomek:*:18519:18519:Tomasz KXXXXXXXXi:/home/tomek:/bin/bash
[tomek@paulie ~]$ getent group tomek
tomek:*:20000003:
[tomek@paulie ~]$ getent passwd 18519
tomek:*:18519:18519:Tomasz KXXXXXXXXi:/home/tomek:/bin/bash
[tomek@paulie ~]$ getent group 18519
[tomek@paulie ~]$ 

As seen above:
- user tomek has primary group id of 18519 - overridden
- but it is NOT resolvable back to group name
- additional note - 20000000 is gid for group admins and it is NOT resolved (this might be a separate bug as it was NOT overridden)

Try to override tomek group:

vesemir:~> ipa idoverridegroup-add TEST tomek --gid=18519
ipa: ERROR: invalid 'IPA object': system IPA objects (e.g. system groups, user private groups) cannot be overridden

Actual results:
Cannot override user's private user group.

Expected results:
User can keep private user group override AND that group CAN be overridden as necessary.

Additional info:
3 replicas in the domain, 2 - on AlmaLinux 9.2, 1 - on AlmaLinux 8.8.
All involved clients - on AlmaLinux 9.2.
Comment 2 Rob Crittenden 2023-07-14 13:11:31 UTC 
Re-assigning the product for analysis. SSSD handles the implementation of the overrides.