Bug 866021

Summary: SSSD loses groups from the cache when local user is accessed
Product: Red Hat Enterprise Linux 6 Reporter: Everard Brown <bugzilla.redhat>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED DUPLICATE QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3CC: bugzilla.redhat, grajaiya, jgalipea
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-16 17:01:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Everard Brown 2012-10-13 10:27:07 UTC 
Description of problem:
The group associations are lost when group information for a local user occurs.


Version-Release number of selected component (if applicable):
sssd-1.8.0-32.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Add a local user (eg. install apache)
2. Add apache in the memberUid of an LDAP group
3. Query the ldap group info (getent ldap_group)
4. Query user/group info an LDAP user (id -a ldap_user)
3. Query the ldap group info (getent ldap_group)
4. Query user/group info apache (id -a apache)
5. Query the ldap group info (getent ldap_group)
  
Actual results:
# sss_cache -G -U ; getent group ldap_group && id -a ldap_user && getent group ldap_group && id -a apache && getent group ldap_group

ldap_group:*:501:apache
uid=501(ldap_user) gid=501(ldap_group) groups=501(ldap_group)
ldap_group:*:501:apache
uid=48(apache) gid=48(apache) groups=48(apache)
ldap_group:*:501:


Expected results:
# sss_cache -G -U ; getent group ldap_group && id -a ldap_user && getent group ldap_group && id -a apache && getent group ldap_group

ldap_group:*:501:apache
uid=501(ldap_user) gid=501(ldap_group) groups=501(ldap_group)
ldap_group:*:501:apache
uid=48(apache) gid=48(apache) groups=48(apache),501(ldap_group)
ldap_group:*:501:apache


Additional info:
Similar to https://bugzilla.redhat.com/show_bug.cgi?id=649312 but that regression test will not catch the actual problem
Comment 2 Jakub Hrozek 2012-10-16 16:54:00 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1020
Comment 3 Jakub Hrozek 2012-10-16 17:00:00 UTC 
The SSSD is designed so that it only looks for group members in the same domain as the original group, also because the SSSD supports multiple domains and in a multi-domain environment, just saying "member: foo" would be ambiguous. 

If the member is not present in the same domain, then, as far as the SSSD is concerned, it is same as if the member did not exist at all.

Improving this kind of setup is planned for the 1.11 release at the moment. In the meantime, I would recommend adding the apache user to LDAP as well.
Comment 4 Jakub Hrozek 2012-10-16 17:01:52 UTC 

*** This bug has been marked as a duplicate of bug 732474 ***