Bug 869616
| Summary: | Issues when adding AD user as member of external group | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Xiyang Dong <xdong> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | abokovoy, dpal, mkosek, sbose, spoore, xdong |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-8.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:28:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Version-Release number of selected component (if applicable): ipa-server-3.0.0-105.20121018T0250zgit1cc4f7e.el6.x86_64 Upstream ticket: https://fedorahosted.org/freeipa/ticket/3211 Fixed upstream. master: fc3834ca46fa986694be6a94f0a51d74e9e532a8 ipa-3-0: 4cf3c2d5053bad8e62a80ffa586f8d5c1f7e41cd Created bug #874671 to cover missing error message as separate case/issue here. Created bug #874674 to cover invalid/non-existent SID adds as a separate case/issue here. Verified. It should be noted that the 1> case is the only one fixed here. The other two (2>) cases are being handled in the separate bugs listed in comment #5 and comment #6. Version :: ipa-server-3.0.0-8.el6.x86_64 Manual Test Results :: [root@rhel6-1 ~]# ipa group-add --desc='adtestdom.com adtestgroup1' adtestdom_adtestgroup1 ------------------------------------ Added group "adtestdom_adtestgroup1" ------------------------------------ Group name: adtestdom_adtestgroup1 Description: adtestdom.com adtestgroup1 GID: 1735800006 [root@rhel6-1 ~]# ipa group-add --desc='adtestdom.com adtestgroup1 external' adtestdom_adtestgroup1_external --external --------------------------------------------- Added group "adtestdom_adtestgroup1_external" --------------------------------------------- Group name: adtestdom_adtestgroup1_external Description: adtestdom.com adtestgroup1 external [root@rhel6-1 ~]# ipa group-add-member adtestdom_adtestgroup1 --groups=adtestdom_adtestgroup1_external Group name: adtestdom_adtestgroup1 Description: adtestdom.com adtestgroup1 GID: 1735800006 Member groups: adtestdom_adtestgroup1_external ------------------------- Number of members added 1 ------------------------- [root@rhel6-1 ~]# ipa group-add-member adtestdom_adtestgroup1_external --external "ADTESTDOM\adtestgroup1" [member user]: [member group]: Group name: adtestdom_adtestgroup1_external Description: adtestdom.com adtestgroup1 external External member: S-1-5-21-1246088475-3077293710-2580964704-1135 Member of groups: adtestdom_adtestgroup1 ------------------------- Number of members added 1 ------------------------- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html now it's able to add by name but unable to delete by name [root@rt aduser1]# rpm -q ipa-server ipa-server-3.0.0-25.el6.x86_64 [root@rt aduser1]# ipa group-add-member adgroup1 --external "ADLAB\aduser1" [member user]: [member group]: Group name: adgroup1 Description: adgroup1 External member: S-1-5-21-3452862912-1583780823-338435951-1139 ------------------------- Number of members added 1 ------------------------- [root@rt aduser1]# ipa group-remove-member adgroup1 --external "ADLAB\aduser1" [member user]: [member group]: Group name: adgroup1 Description: adgroup1 External member: S-1-5-21-3452862912-1583780823-338435951-1139 --------------------------- Number of members removed 0 --------------------------- [root@rt aduser1]# ipa group-remove-member adgroup1 --external=S-1-5-21-3452862912-1583780823-338435951-1139 [member user]: [member group]: Group name: adgroup1 Description: adgroup1 External member: --------------------------- Number of members removed 1 --------------------------- The suggestion is that it used to work. Is that the case? I don't think it did. We'd need a new bug to add this functionality. |
Description of problem: 1> Cannot use name of AD User, but have to use wmic to get SID for this user to add as a member to an external group wmic useraccount get name,sid 2> when adding duplicate AD user behaviour is different from regular duplicate user # ipa group-add-member --user=ttt aa Group name: aa Description: aaa External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1176, s-1-5-21-2048782538-2375889789-2933420090-1179, s-1-5-21-2048782538-2375889789-2933420090-1155, s-1-5-21-2048782538-2375889789-2933420090-1100 Member users: ttt Member groups: ttt Failed members: member user: ttt: This entry is already a member member group: ------------------------- Number of members added 0 ------------------------- # ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1175 aa [member user]: [member group]: Group name: aa Description: aaa External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1176, s-1-5-21-2048782538-2375889789-2933420090-1179, s-1-5-21-2048782538-2375889789-2933420090-1155, s-1-5-21-2048782538-2375889789-2933420090-1100 Member users: ttt Member groups: ttt ------------------------- Number of members added 0 ------------------------- 2> Can use invalid SIDs - and message says member was added.(-1100 is invalid) [root@xdong ~]# ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1100 Group name: bb [member user]: [member group]: Group name: bb Description: bb External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1100 ------------------------- Number of members added 1 ------------------------- How reproducible: always Steps to Reproduce: Actual results: Expected results: Additional info: