Bug 1130017 - Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
Summary: Saving group membership fails if provider is AD, POSIX attributes are used an...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-14 07:55 UTC by Jakub Hrozek
Modified: 2014-10-14 04:49 UTC (History)
9 users (show)

Fixed In Version: sssd-1.11.6-26.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 04:49:31 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description Jakub Hrozek 2014-08-14 07:55:33 UTC
Description of problem:
This bug hits setups where the id_provider is AD or the ldap_schema is set to AD, at the same time POSIX attributes are used and at the same time the primary group also includes the user as a 'member' attribute.

Version-Release number of selected component (if applicable):
sssd-1.11.6-14.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. prepare an AD server with POSIX attributes, enroll sssd to it
2. make sure the primary group of a user also has the 'member' attribute pointing towards the user
3. run id user

Actual results:
saving group membership fails with:
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists]
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_store_group] (0x0400): Error: 17 (File exists)
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0080): sysdb_store_group failed: [17][File exists].
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0040): Failed to save members of group adgrp01

Expected results:
saving group membership succeeds.

Additional info:
It is not typical that the primary group also contains the user as a member. At the same time, we have code that special-cases the AD provider so that also all members of primary group are added as groups the user is a member of, because that's what Windows clients do. This special-case breaks when the AD primary group *also* contains the user as a member.

I think we should simply use ldb permissive control to save the membership.

Comment 1 Jakub Hrozek 2014-08-14 07:57:19 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2406

Comment 4 Jakub Hrozek 2014-08-20 15:40:16 UTC
Here is a test build:
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7863299

It would be nice if niru or Kaushik could confirm the fix helps.

Comment 5 Nirupama Karandikar 2014-08-21 08:36:04 UTC
Before Fix : sssd-1.11.6-14.el6.x86_64

uid=70001(aduser1) gid=70001(adgrp01) groups=70001(adgrp01),10000(domain users),70002(adgrp02),70003(adgrp03),70004(adgrp04)
:: [   PASS   ] :: Running 'id aduser1' (Expected 0, got 0)
adgrp01:*:70001:
:: [   FAIL   ] :: Running 'getent group adgrp01 | grep aduser1' (Expected 0, got 1)
adgrp02:*:70002:aduser1
:: [   PASS   ] :: Running 'getent group adgrp02' (Expected 0, got 0)


After applying fix : sssd-1.11.6-23.1.el6.x86_64

uid=70001(aduser1) gid=70001(adgrp01) groups=70001(adgrp01),10000(domain users),70002(adgrp02),70003(adgrp03),70004(adgrp04)
:: [   PASS   ] :: Running 'id aduser1' (Expected 0, got 0)
adgrp01:*:70001:aduser1
:: [   PASS   ] :: Running 'getent group adgrp01 | grep aduser1' (Expected 0, got 0)
adgrp02:*:70002:aduser1
:: [   PASS   ] :: Running 'getent group adgrp02' (Expected 0, got 0)

Comment 6 Jakub Hrozek 2014-08-21 08:42:12 UTC
Thank you very much for testing, Niru!

I will produce an official build once the patches are merged upstream.

Comment 8 Jakub Hrozek 2014-08-26 14:26:24 UTC
Fixed upstream:
    master:
        5e195ddf368b705f674ece2faf64261f66e20c23
        bb755dcacd126adad8c60e8cbea11566de67affe 
    sssd-1-11:
        25ff0ec25c40c967e4df7a2b2b3e8ad930218cb5
        2d1e4d2bb90c40dd16c68b71c69c9e46f428a3f6

Comment 10 Kaushik Banerjee 2014-08-28 11:10:21 UTC
Verified with sssd-1.11.6-28.el6

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug_automation_004: BZ 1130017 ad group membership is empty when id mapping is off
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'id aduser1 | grep  adgrp01 | grep adgrp02 | grep adgrp03' (Expected 0, got 0)
:: [   PASS   ] :: Command 'getent group adgrp01 | grep aduser1' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 22s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bug_automation_004: BZ 1122158 and 1130017 ad group membership is empty when id mapping is off

Comment 11 errata-xmlrpc 2014-10-14 04:49:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html


Note You need to log in before you can comment on or make changes to this bug.