Bug 887961

Summary: AD provider: getgrgid removes nested group memberships
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.5CC: dpal, grajaiya, jgalipea, myllynen, okos, pbrezina, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-68.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:42:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 895654    

Description Jakub Hrozek 2012-12-17 17:19:05 UTC 
Description of problem:
After a successfull initgroups operation, the subsequent getgrgid removes the nested memberships. As far as we can tell, this only happens with the AD provider. So far, we've been unable to reproduce the issue in-house, but Marko Myllynen (CC) has

Version-Release number of selected component (if applicable):
1.9.3 upstream, 1.9.2 candidate from 6.4

How reproducible:
depends on the environment

Steps to Reproduce:
1. id -G user
2. id user
  
Actual results:
The id -G call returns all the groups correctly and in the cache the memberofs are linked by SIDs which is expected as we don't know the group names yet. But after the user runs full id, which also calls getgrgid on the resolved SIDs, we lose the memberships for some reason

Expected results:
The groups should stay the same

Additional info:
Marko thinks this was working at one point during the 1.9 development. We need to follow up and verify.
Comment 2 Jakub Hrozek 2012-12-18 17:58:22 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1727
Comment 3 Kaushik Banerjee 2012-12-20 14:57:54 UTC 
We have been unable to reproduce the issue in our environment. It was decided to provide a fix to Marko to verify the issue in his setup.
Comment 4 Jakub Hrozek 2013-01-07 19:30:36 UTC 
(In reply to comment #3)
> We have been unable to reproduce the issue in our environment. It was
> decided to provide a fix to Marko to verify the issue in his setup.

It actually turned out to be quite easily reproducable, I was just looking in the wrong direction.

It turns out that because we use the tokenGroups attribute for initgroups in AD, we can get a different set of results via tokenGroups and via LDAP calls when updating the groups later.

One of the differences is that parent groups of the primary group are represented in tokenGroups, but not represented via LDAP calls because there is no direct member/memberof link between the user and his primary group.

In short, to reproduce:
1. Add a parent group to user's primary group (Domain Users by default)
2. id -G username
   - this call would return both Domain Users and its parent groups
3. id username
   - because there is no link between the "Domain Users" group and the user entry, there wouldn't be any link between the user and the parent group either
4. id -G username
   - only Domain Users is returned
Comment 10 Kaushik Banerjee 2013-01-20 15:17:26 UTC 
Verified in version 1.9.2-74

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: adprovider_015 bz887961 getgrgid removes nested group memberships
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

adding new entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

adding new entry "CN=parent_group,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=parent_group,CN=Users,DC=sssdad,DC=com"

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [13:18:21] ::  Sleeping for 5 seconds
Domain Users gid number is 770800513
parent_group gid number is 770820521
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [13:18:34] ::  Sleeping for 5 seconds
770800513 770820521
:: [   PASS   ] :: Running 'id -G puser | grep 770800513 | grep 770820521'
uid=770820520(puser) gid=770800513(domain users) groups=770800513(domain users),770820521(parent_group)
:: [   PASS   ] :: Running 'id puser | grep parent_group | grep domain'
770800513 770820521
:: [   PASS   ] :: Running 'id -G puser | grep 770800513 | grep 770820521'
'2cba848b-5ca3-479b-a3ba-c0afa9463650'
adprovider-015-bz887961-getgrgid-removes-nested-group-memberships result: PASS
Comment 11 errata-xmlrpc 2013-02-21 09:42:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html