RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1092766 - Simple access fails to look up primary group when using sssd-ad until running the id command.
Summary: Simple access fails to look up primary group when using sssd-ad until running...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.5
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: 6.6
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-30 00:19 UTC by hgraham
Modified: 2020-05-02 17:42 UTC (History)
9 users (show)

Fixed In Version: sssd-1.11.6-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Processing of group membership for user might have been ended prematurely for users with posix attributes and with disabled ID mapping. Consequence: Primary group of user need not been resolved properly and thus simple access provider might have failed. Fix: Cause of premature end of group resolving was fixed. Result: Simple access provider is now always provided with primary group of users.
Clone Of:
Environment:
Last Closed: 2014-10-14 04:48:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3376 0 None closed Simple access fails to look up primary group when using sssd-ad until running the id command. 2020-12-07 14:15:05 UTC
Red Hat Product Errata RHBA-2014:1375 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description hgraham 2014-04-30 00:19:28 UTC 
Description of problem:
When attempting to login in the morning (most likely empty cache) access is denied by the simple access provider until logging in as root and running "id username" on the user. After this access is allowed. This is occurring on all 4 servers. SSSD is configured using sssd-ad and access is restricted using simple access with the user's primary group listed for simple access.  

This looks like a degradation of bug 670763 or something similar that wasn't fixed for sssd-ad

Version-Release number of selected component (if applicable):
sssd-1.9.2-129.el6_5.4.x86_64

How reproducible:
I had the customer use the following:
https://access.redhat.com/site/articles/704743

Steps to Reproduce:
1.
2.
3.

Actual results:
required to run "id username" before simple access succeeds

Expected results:
access is allowed everytime

Additional info:
The sssd.conf configuration

[domain/default]
id_provider = ad
ldap_id_mapping = False
ldap_schema = ad
access_provider = simple
simple_allow_groups = primarygroup
ad_server = adserver.domain
ad_domain = DOMAIN
debug_level = 9


[sssd]
services = nss, pam
config_file_version = 2
debug_level = 9
domains = default

[nss]
debug_level = 9
[pam]
debug_level = 9

[sudo]
debug_level = 9
Comment 4 Pavel Reichl 2014-05-15 11:53:43 UTC 
Hello Henry,

I have a local replication of the problem, so I'll try to investigate.

Regards,

Pavel Reichl
Comment 5 Jakub Hrozek 2014-05-15 11:58:19 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2334
Comment 6 Pavel Reichl 2014-05-15 14:27:09 UTC 
Just to clarify replication - I believe this bug is happening only for users with POSIX attributes (please be sure to set "ldap_id_mapping = False" as Henry stated in 1st comment).
Comment 7 Jakub Hrozek 2014-06-02 10:25:23 UTC 
Fixed upstream:

* master: fc731b54cd74e6732f1e33c7cc4ed49cab0f7c90
* sssd-1-11: 356b2dc5b81b073cfe1734df656fd34bef61c39d
Comment 9 Dan Lavu 2014-08-04 20:12:16 UTC 
Verified, simple groups are working in sssd-client-1.11.6-14.el6.x86_64 on current RHEL 6.6 nightly. Regardless of which group the member is in, primary group, secondary or tertiary. Testing was done against AD 2k12 with UNIX attributes enabled.

Note, might want to modify the man page to give examples of adding groups with white spaces in the string. Spent sometime trying to escape the space or put the string "domain users" in quotes and single quotes, none of these worked but leaving it alone was successful. e.g. simple_allow_groups = domain users
Comment 12 errata-xmlrpc 2014-10-14 04:48:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html
Note You need to log in before you can comment on or make changes to this bug.