Bug 1045188 - sssd does not respect override_gid when there is no gid
Summary: sssd does not respect override_gid when there is no gid
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 22
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-19 20:11 UTC by Claudio Sampaio
Modified: 2020-05-02 17:34 UTC (History)
7 users (show)

Fixed In Version: sssd-1.12.1-1.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-15 12:24:20 UTC
Type: Bug


Attachments (Terms of Use)
try all attributes when saving an entry (1.75 KB, patch)
2013-12-19 20:11 UTC, Claudio Sampaio
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3225 0 None None None 2020-05-02 17:34:52 UTC
Github SSSD sssd issues 3226 0 None None None 2020-05-02 17:34:58 UTC

Description Claudio Sampaio 2013-12-19 20:11:31 UTC
Created attachment 839236 [details]
try all attributes when saving an entry

Description of problem:
When specifying override_gid on sssd.conf, it will not work if the LDAP server does not return a gid attribute when querying the LDAP user information.

Version-Release number of selected component (if applicable):
1.9.2-82.10

How reproducible:
Always

Steps to Reproduce:
1. Use a LDAP server which does not return a gid (e.g. Tivoli Directory Server)
2. Configure sssd.conf with override_gid, say, 1000 with group 1000 being 'mygroup' in /etc/group
3. Query user information
4. As sssd does not get the gid, it will cease to process user info at this time, not saving it, and getent passwd <user> or any other such command will not work

And sorry, but I do not have sssd logs containing the problem because it was solved with a patch that jhrozek sent me which, according to him, was a hack/workaround for the time being. The patch is attached on this bug report.

Actual results:
no getent / id command working

Expected results:
getend / id would return the user with the given group

Additional info:
patch which worked around the problem is attached

Comment 1 Claudio Sampaio 2013-12-19 20:11:54 UTC
Also, the bug remains on newer versions of sssd

Comment 2 Stephen Gallagher 2013-12-19 20:20:28 UTC
There are actually several issues to keep in mind here, only one of which is actually resolved by the attached patch.

1) It is asserted that if override_gid is being used, we should not fail to save users that have no gid attribute in their LDAP user entry. This would require us to change the search filters we use for finding user entries if override_gid is in use on the domain (currently we intentionally filter out users missing a GID).

2) The workaround that was offered here was to set 'ldap_group_gid = uidNumber' (the same as the UID, so it could then be safely overridden). However, we have a bug in the attribute processing where it ended up not populating both UID and GID (it stopped at the first match). As a result, the user failed to save to sysdb. This is the issue addressed by the attached patch.

The second issue is fairly serious, as there may be other times that we need to save the same attribute in two places (such as GECOS and Full Name, for one example). The first issue will have a viable workaround once the second is addressed, so it is lower priority.

Comment 3 Jakub Hrozek 2013-12-20 08:51:14 UTC
The patch still needs some work (and ideally a unit test), I remember I was able to break LDAP searches under some conditions with the patch. I don't recall the details, but that's the reason the patch wasn't accepted upstream yet.

Until now, there had been no bug report, so the patch has had a lower priority :-)

Comment 4 Jakub Hrozek 2013-12-20 08:52:49 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2183

Comment 5 Jakub Hrozek 2013-12-20 08:58:29 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2184

Comment 6 Jakub Hrozek 2014-07-08 18:44:08 UTC
Fixed upstream:
    master: eed2073f6f7bed7df0327b9fc0f2d410975d5332

Comment 7 Lukas Slebodnik 2014-12-18 10:41:51 UTC
Patch is included in upstream sssd >= 1.12
sh$ git tag --contains eed2073f6f7bed7df0327b9fc0f2d410975d5332
sssd-1_12_0
sssd-1_12_1
sssd-1_12_2

Comment 8 Jaroslav Reznik 2015-03-03 17:08:17 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 9 Jakub Hrozek 2015-09-15 12:24:20 UTC
The problem the original reporter had was fixed for some time. I'm closing as CURRENTRELEASE, please reopen if the issue is still there.


Note You need to log in before you can comment on or make changes to this bug.