Bug 1092766 - Simple access fails to look up primary group when using sssd-ad until running the id command.
Summary: Simple access fails to look up primary group when using sssd-ad until running...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.5
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 6.6
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
Depends On:
TreeView+ depends on / blocked
Reported: 2014-04-30 00:19 UTC by hgraham
Modified: 2018-12-09 17:47 UTC (History)
9 users (show)

Fixed In Version: sssd-1.11.6-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Processing of group membership for user might have been ended prematurely for users with posix attributes and with disabled ID mapping. Consequence: Primary group of user need not been resolved properly and thus simple access provider might have failed. Fix: Cause of premature end of group resolving was fixed. Result: Simple access provider is now always provided with primary group of users.
Clone Of:
Last Closed: 2014-10-14 04:48:25 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description hgraham 2014-04-30 00:19:28 UTC
Description of problem:
When attempting to login in the morning (most likely empty cache) access is denied by the simple access provider until logging in as root and running "id username" on the user. After this access is allowed. This is occurring on all 4 servers. SSSD is configured using sssd-ad and access is restricted using simple access with the user's primary group listed for simple access.  

This looks like a degradation of bug 670763 or something similar that wasn't fixed for sssd-ad

Version-Release number of selected component (if applicable):

How reproducible:
I had the customer use the following:

Steps to Reproduce:

Actual results:
required to run "id username" before simple access succeeds

Expected results:
access is allowed everytime

Additional info:
The sssd.conf configuration

id_provider = ad
ldap_id_mapping = False
ldap_schema = ad
access_provider = simple
simple_allow_groups = primarygroup
ad_server = adserver.domain
ad_domain = DOMAIN
debug_level = 9

services = nss, pam
config_file_version = 2
debug_level = 9
domains = default

debug_level = 9
debug_level = 9

debug_level = 9

Comment 4 Pavel Reichl 2014-05-15 11:53:43 UTC
Hello Henry,

I have a local replication of the problem, so I'll try to investigate.


Pavel Reichl

Comment 5 Jakub Hrozek 2014-05-15 11:58:19 UTC
Upstream ticket:

Comment 6 Pavel Reichl 2014-05-15 14:27:09 UTC
Just to clarify replication - I believe this bug is happening only for users with POSIX attributes (please be sure to set "ldap_id_mapping = False" as Henry stated in 1st comment).

Comment 7 Jakub Hrozek 2014-06-02 10:25:23 UTC
Fixed upstream:

* master: fc731b54cd74e6732f1e33c7cc4ed49cab0f7c90
* sssd-1-11: 356b2dc5b81b073cfe1734df656fd34bef61c39d

Comment 9 Dan Lavu 2014-08-04 20:12:16 UTC
Verified, simple groups are working in sssd-client-1.11.6-14.el6.x86_64 on current RHEL 6.6 nightly. Regardless of which group the member is in, primary group, secondary or tertiary. Testing was done against AD 2k12 with UNIX attributes enabled.

Note, might want to modify the man page to give examples of adding groups with white spaces in the string. Spent sometime trying to escape the space or put the string "domain users" in quotes and single quotes, none of these worked but leaving it alone was successful. e.g. simple_allow_groups = domain users

Comment 12 errata-xmlrpc 2014-10-14 04:48:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.