Bug 1092766 – Simple access fails to look up primary group when using sssd-ad until running the id command.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1092766 - Simple access fails to look up primary group when using sssd-ad until running the id command.

Summary:	Simple access fails to look up primary group when using sssd-ad until running...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.5
Hardware:	x86_64 Linux

Priority	high Severity high
Target Milestone:	rc
Target Release:	6.6
Assigned To:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2014-04-29 20:19 EDT by hgraham
Modified:	2014-10-14 00:48 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	sssd-1.11.6-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Processing of group membership for user might have been ended prematurely for users with posix attributes and with disabled ID mapping. Consequence: Primary group of user need not been resolved properly and thus simple access provider might have failed. Fix: Cause of premature end of group resolving was fixed. Result: Simple access provider is now always provided with primary group of users.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-10-14 00:48:25 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1375	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2014-10-13 21:06:25 EDT

Groups: None (edit)

Description hgraham 2014-04-29 20:19:28 EDT

Description of problem:
When attempting to login in the morning (most likely empty cache) access is denied by the simple access provider until logging in as root and running "id username" on the user. After this access is allowed. This is occurring on all 4 servers. SSSD is configured using sssd-ad and access is restricted using simple access with the user's primary group listed for simple access.  

This looks like a degradation of bug 670763 or something similar that wasn't fixed for sssd-ad

Version-Release number of selected component (if applicable):
sssd-1.9.2-129.el6_5.4.x86_64

How reproducible:
I had the customer use the following:
https://access.redhat.com/site/articles/704743

Steps to Reproduce:
1.
2.
3.

Actual results:
required to run "id username" before simple access succeeds

Expected results:
access is allowed everytime

Additional info:
The sssd.conf configuration

[domain/default]
id_provider = ad
ldap_id_mapping = False
ldap_schema = ad
access_provider = simple
simple_allow_groups = primarygroup
ad_server = adserver.domain
ad_domain = DOMAIN
debug_level = 9


[sssd]
services = nss, pam
config_file_version = 2
debug_level = 9
domains = default

[nss]
debug_level = 9
[pam]
debug_level = 9

[sudo]
debug_level = 9

Comment 4 Pavel Reichl 2014-05-15 07:53:43 EDT

Hello Henry,

I have a local replication of the problem, so I'll try to investigate.

Regards,

Pavel Reichl

Comment 5 Jakub Hrozek 2014-05-15 07:58:19 EDT

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2334

Comment 6 Pavel Reichl 2014-05-15 10:27:09 EDT

Just to clarify replication - I believe this bug is happening only for users with POSIX attributes (please be sure to set "ldap_id_mapping = False" as Henry stated in 1st comment).

Comment 7 Jakub Hrozek 2014-06-02 06:25:23 EDT

Fixed upstream:

* master: fc731b54cd74e6732f1e33c7cc4ed49cab0f7c90
* sssd-1-11: 356b2dc5b81b073cfe1734df656fd34bef61c39d

Comment 9 Dan Lavu 2014-08-04 16:12:16 EDT

Verified, simple groups are working in sssd-client-1.11.6-14.el6.x86_64 on current RHEL 6.6 nightly. Regardless of which group the member is in, primary group, secondary or tertiary. Testing was done against AD 2k12 with UNIX attributes enabled.

Note, might want to modify the man page to give examples of adding groups with white spaces in the string. Spent sometime trying to escape the space or put the string "domain users" in quotes and single quotes, none of these worked but leaving it alone was successful. e.g. simple_allow_groups = domain users

Comment 12 errata-xmlrpc 2014-10-14 00:48:25 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html

Note You need to log in before you can comment on or make changes to this bug.