Bug 1049533
| Summary: | Group membership lookup issue | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> | |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.0 | CC: | grajaiya, jgalipea, lslebodn, mkosek, nsoman, pbrezina, sbose, spoore | |
| Target Milestone: | rc | Keywords: | Regression | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | sssd-1.11.2-21.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1446178 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-13 13:07:09 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 848531, 1446176, 1446178 | |||
Upstream ticket: https://fedorahosted.org/sssd/ticket/2190 Fixed upstream:
master: 01c9724f3bd540eda8b6d2879ca8a1cdd4af4330
sssd-1-11: 0970f33c971998693891210ae61d9209385ecb01
Verified. Version :: sssd-1.11.2-21.el7.x86_64.rpm Test Results :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_trunc_func_bug_1049533: Group membership lookup issue :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'kdestroy -A' (Expected 0, got 0) :: [ 10:16:50 ] :: Create group for testing bug -------------------------------- Added group "bz1049533_external" -------------------------------- Group name: bz1049533_external Description: 0 :: [ PASS ] :: Running 'ipa group-add --desc=0 bz1049533_external --external' (Expected 0, got 0) ----------------------- Added group "bz1049533" ----------------------- Group name: bz1049533 Description: 0 GID: 114000010 :: [ PASS ] :: Running 'ipa group-add --desc=0 bz1049533' (Expected 0, got 0) Group name: bz1049533 Description: 0 GID: 114000010 Member groups: bz1049533_external ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa group-add-member bz1049533 --groups=bz1049533_external' (Expected 0, got 0) Group name: bz1049533_external Description: 0 External member: S-1-5-21-1515602834-2930230041-3336973146-1131 Member of groups: bz1049533 ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa group-add-member bz1049533_external --external='AD2.EXAMPLE.TEST\adgroup1' --users='' --groups=''' (Expected 0, got 0) :: [ 10:16:54 ] :: Now reset sssd to be sure cache is clear Redirecting to /bin/systemctl stop sssd.service :: [ PASS ] :: Running 'service sssd stop' (Expected 0, got 0) :: [ PASS ] :: Running 'rm -rf /var/lib/sss/{db,mc}/*' (Expected 0, got 0) Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'service sssd start' (Expected 0, got 0) :: [ 10:16:56 ] :: Now check id of known user in adgroup1 uid=551801125(aduser1.test) gid=551801125(aduser1.test) groups=551801125(aduser1.test),551801131(adgroup1.test),114000010(bz1049533),114000006(ad2_adgroup1),551800513(domain users.test) :: [ PASS ] :: Running 'id 'AD2.EXAMPLE.TEST\Aduser1' 2>&1| tee /tmp/tmpout.ipa_trunc_func_bug_1049533' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmpout.ipa_trunc_func_bug_1049533' should contain 'bz1049533' :: [ PASS ] :: BZ1049533 not found :: [ 10:17:00 ] :: Now clean up before we move on ---------------------------------- Deleted group "bz1049533_external" ---------------------------------- :: [ PASS ] :: Running 'ipa group-del bz1049533_external' (Expected 0, got 0) ------------------------- Deleted group "bz1049533" ------------------------- :: [ PASS ] :: Running 'ipa group-del bz1049533' (Expected 0, got 0) :: [ 10:17:01 ] :: Running rhts-sync-set -s '3.' -m rhel7-1.example.com result_server not set, assuming developer mode. Setting rhel7-1.example.com to state 3. :: [ PASS ] :: Running 'rhts-sync-set -s '3.' -m rhel7-1.example.com' (Expected 0, got 0) This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: Issue with SSSD group membership lookup Version-Release number of selected component (if applicable): [root@dhcp207-43 ~]# rpm -q sssd sssd-1.11.2-19.el7.x86_64 [root@dhcp207-43 ~]# rpm -q ipa-server ipa-server-3.3.3-8.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup AD trust 2. Add users in AD 3. Add posix group ad_users 4. Add external group ad_users_ext 5. Add ad_users_ext to ad_users group 6. Add aduser1 user to ad_user_ext group 7. Check id aduser1 for ad user group memberships on IPA Actual results: [root@dhcp207-43 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@dhcp207-43 ~]# getent passwd aduser1 aduser1:*:1148401313:1148401313:ads user:/: [root@dhcp207-43 ~]# ipa group-show ad_users Group name: ad_users Description: ad_users local group GID: 1741800004 Member groups: ad_users_ext Member of HBAC rule: testrule [root@dhcp207-43 ~]# ipa group-show ad_users_ext Group name: ad_users_ext Description: ad_users external map Member of groups: ad_users Indirect Member of HBAC rule: testrule External member: S-1-5-21-1910160501-511572375-3625658879-1313 [root@dhcp207-43 ~]# wbinfo -n 'ADTEST\aduser1' S-1-5-21-1910160501-511572375-3625658879-1313 SID_USER (1) [root@dhcp207-43 ~]# id 'ADTEST\aduser1' uid=1148401313(aduser1) gid=1148401313(aduser1) groups=1148401313(aduser1),1148400513(domain users) [root@dhcp207-43 ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all <sourcehostcategory>: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE Rule name: testrule Description: test Enabled: TRUE User Groups: ad_users Hosts: dhcp207-43.testrelm.com Services: sshd ---------------------------- Number of entries returned 2 ---------------------------- [root@dhcp207-43 ~]# ipa hbactest --user 'aduser1' --host `hostname` --service sshd -------------------- Access granted: True -------------------- Matched rules: allow_all Not matched rules: testrule