Bug 1122158 - ad: group membership is empty when id mapping is off and tokengroups are enabled
Summary: ad: group membership is empty when id mapping is off and tokengroups are enabled
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-22 16:32 UTC by Jakub Hrozek
Modified: 2020-05-02 17:45 UTC (History)
9 users (show)

Fixed In Version: sssd-1.11.6-12.el6
Doc Type: Bug Fix
Doc Text:
Cause: ID provider is set to AD, ID mapping is disabled but tokengroups are enabled. When initgroups is performed SSSD resolves SIDs to groups but does not store the membership. Consequence: Group membership was not resolved correctly - only primary group was aquired. Fix: SSSD updates user's membership after SIDs are resolved. Result: Group membership is resolved correctly.
Clone Of:
Last Closed: 2014-10-14 04:49:09 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3427 0 None None None 2020-05-02 17:45:38 UTC
Red Hat Product Errata RHBA-2014:1375 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description Jakub Hrozek 2014-07-22 16:32:10 UTC
This bug is created as a clone of upstream ticket:

When id_provider=ad, id mapping is off but tokengroups are used the first initgroups attempt yields empty membership (only primary group is shown). The successive initgroups works correctly.

* SIDs are acquired correctly from tokengroups
* if SID is already in the cache the membership is updated
* missing SIDs are downloaded but membership is not updated

Reported by jhodrien on IRC.

Comment 1 Jakub Hrozek 2014-07-22 16:36:37 UTC

Comment 4 Jakub Hrozek 2014-07-28 13:44:26 UTC
Pavel, can you add the steps to verify for QE? Thanks!

Comment 6 Pavel Březina 2014-07-30 08:50:02 UTC
The steps are quite simple.

1. create an AD user which is member of at least one non-primary POSIX group
2. disable id mapping and enable tokengroups in sssd.conf
3. run id $user
- without this patch only primary group is shown
- with this patch all groups are printed

Comment 7 Nirupama Karandikar 2014-08-07 06:03:16 UTC
Tested with sssd-1.11.6-14.el6.x86_64

:: [   PASS   ] :: Running 'getent passwd aduser1' (Expected 0, got 0)
uid=70001(aduser1) gid=70001(adgrp01) groups=70001(adgrp01),10000(domain users),70002(adgrp02),70003(adgrp03),70004(adgrp04)
:: [   PASS   ] :: Running 'id aduser1 | grep adgrp03' (Expected 0, got 0)
aduser1 : adgrp01 domain users adgrp02 adgrp03 adgrp04
:: [   PASS   ] :: Running 'groups aduser1' (Expected 0, got 0)

Comment 8 Nirupama Karandikar 2014-08-13 11:42:15 UTC
Not sure if this issue is related to this fix, but now group lookups are empty if initgroup lookups are run before normal group lookup.

1. Restart sssd with a clear cache
2. Initgroup lookup
# id aduser1
uid=70001(aduser1) gid=70001(adgrp01) groups=70001(adgrp01),10000(domain users),70002(adgrp02),70003(adgrp03),70004(adgrp04)

3.Group lookup
# getent group adgrp01
adgrp01:*:70001:        <= member aduser1 is missing

After step 2, domain log shows:
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_get_primary_name] (0x0400): Processing object adgrp01
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0400): Processing group adgrp01
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0400): Adding member users to group [adgrp01]
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists]
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_store_group] (0x0400): Error: 17 (File exists)
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0080): sysdb_store_group failed: [17][File exists].
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0040): Failed to save members of group adgrp01

Comment 14 Nirupama Karandikar 2014-08-14 08:02:46 UTC
Since the initial issue is fixed marking as verified.

Comment 15 errata-xmlrpc 2014-10-14 04:49:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.