Bug 887961
Summary: | AD provider: getgrgid removes nested group memberships | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jakub Hrozek <jhrozek> |
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.5 | CC: | dpal, grajaiya, jgalipea, myllynen, okos, pbrezina, tlavigne |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.9.2-68.el6 | Doc Type: | Bug Fix |
Doc Text: |
No documentation needed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:42:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 895654 |
Description
Jakub Hrozek
2012-12-17 17:19:05 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/1727 We have been unable to reproduce the issue in our environment. It was decided to provide a fix to Marko to verify the issue in his setup. (In reply to comment #3) > We have been unable to reproduce the issue in our environment. It was > decided to provide a fix to Marko to verify the issue in his setup. It actually turned out to be quite easily reproducable, I was just looking in the wrong direction. It turns out that because we use the tokenGroups attribute for initgroups in AD, we can get a different set of results via tokenGroups and via LDAP calls when updating the groups later. One of the differences is that parent groups of the primary group are represented in tokenGroups, but not represented via LDAP calls because there is no direct member/memberof link between the user and his primary group. In short, to reproduce: 1. Add a parent group to user's primary group (Domain Users by default) 2. id -G username - this call would return both Domain Users and its parent groups 3. id username - because there is no link between the "Domain Users" group and the user entry, there wouldn't be any link between the user and the parent group either 4. id -G username - only Domain Users is returned Verified in version 1.9.2-74 Output from beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: adprovider_015 bz887961 getgrgid removes nested group memberships :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: adding new entry "CN=primary user,CN=Users,DC=sssdad,DC=com" adding new entry "CN=parent_group,CN=Users,DC=sssdad,DC=com" modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com" modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com" modifying entry "CN=parent_group,CN=Users,DC=sssdad,DC=com" Stopping sssd: [ OK ] Starting sssd: [ OK ] [ OK ] :: [13:18:21] :: Sleeping for 5 seconds Domain Users gid number is 770800513 parent_group gid number is 770820521 Stopping sssd: [ OK ] Starting sssd: [ OK ] [ OK ] :: [13:18:34] :: Sleeping for 5 seconds 770800513 770820521 :: [ PASS ] :: Running 'id -G puser | grep 770800513 | grep 770820521' uid=770820520(puser) gid=770800513(domain users) groups=770800513(domain users),770820521(parent_group) :: [ PASS ] :: Running 'id puser | grep parent_group | grep domain' 770800513 770820521 :: [ PASS ] :: Running 'id -G puser | grep 770800513 | grep 770820521' '2cba848b-5ca3-479b-a3ba-c0afa9463650' adprovider-015-bz887961-getgrgid-removes-nested-group-memberships result: PASS Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html |