Red Hat Bugzilla – Bug 1130017
Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
Last modified: 2014-10-14 00:49:31 EDT
Description of problem: This bug hits setups where the id_provider is AD or the ldap_schema is set to AD, at the same time POSIX attributes are used and at the same time the primary group also includes the user as a 'member' attribute. Version-Release number of selected component (if applicable): sssd-1.11.6-14.el6.x86_64 How reproducible: always Steps to Reproduce: 1. prepare an AD server with POSIX attributes, enroll sssd to it 2. make sure the primary group of a user also has the 'member' attribute pointing towards the user 3. run id user Actual results: saving group membership fails with: (Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0080): sysdb_store_group failed: [17][File exists]. (Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0040): Failed to save members of group adgrp01 Expected results: saving group membership succeeds. Additional info: It is not typical that the primary group also contains the user as a member. At the same time, we have code that special-cases the AD provider so that also all members of primary group are added as groups the user is a member of, because that's what Windows clients do. This special-case breaks when the AD primary group *also* contains the user as a member. I think we should simply use ldb permissive control to save the membership.
Upstream ticket: https://fedorahosted.org/sssd/ticket/2406
Here is a test build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7863299 It would be nice if niru or Kaushik could confirm the fix helps.
Before Fix : sssd-1.11.6-14.el6.x86_64 uid=70001(aduser1) gid=70001(adgrp01) groups=70001(adgrp01),10000(domain users),70002(adgrp02),70003(adgrp03),70004(adgrp04) :: [ PASS ] :: Running 'id aduser1' (Expected 0, got 0) adgrp01:*:70001: :: [ FAIL ] :: Running 'getent group adgrp01 | grep aduser1' (Expected 0, got 1) adgrp02:*:70002:aduser1 :: [ PASS ] :: Running 'getent group adgrp02' (Expected 0, got 0) After applying fix : sssd-1.11.6-23.1.el6.x86_64 uid=70001(aduser1) gid=70001(adgrp01) groups=70001(adgrp01),10000(domain users),70002(adgrp02),70003(adgrp03),70004(adgrp04) :: [ PASS ] :: Running 'id aduser1' (Expected 0, got 0) adgrp01:*:70001:aduser1 :: [ PASS ] :: Running 'getent group adgrp01 | grep aduser1' (Expected 0, got 0) adgrp02:*:70002:aduser1 :: [ PASS ] :: Running 'getent group adgrp02' (Expected 0, got 0)
Thank you very much for testing, Niru! I will produce an official build once the patches are merged upstream.
Fixed upstream: master: 5e195ddf368b705f674ece2faf64261f66e20c23 bb755dcacd126adad8c60e8cbea11566de67affe sssd-1-11: 25ff0ec25c40c967e4df7a2b2b3e8ad930218cb5 2d1e4d2bb90c40dd16c68b71c69c9e46f428a3f6
Verified with sssd-1.11.6-28.el6 Output from beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bug_automation_004: BZ 1130017 ad group membership is empty when id mapping is off :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'id aduser1 | grep adgrp01 | grep adgrp02 | grep adgrp03' (Expected 0, got 0) :: [ PASS ] :: Command 'getent group adgrp01 | grep aduser1' (Expected 0, got 0) :: [ LOG ] :: Duration: 22s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: bug_automation_004: BZ 1122158 and 1130017 ad group membership is empty when id mapping is off
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1375.html