RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1130017 - Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
Summary: Saving group membership fails if provider is AD, POSIX attributes are used an...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-14 07:55 UTC by Jakub Hrozek
Modified: 2020-05-02 17:47 UTC (History)
9 users (show)

Fixed In Version: sssd-1.11.6-26.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 04:49:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3448 0 None closed Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a memb... 2020-09-18 20:38:02 UTC
Red Hat Product Errata RHBA-2014:1375 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description Jakub Hrozek 2014-08-14 07:55:33 UTC 
Description of problem:
This bug hits setups where the id_provider is AD or the ldap_schema is set to AD, at the same time POSIX attributes are used and at the same time the primary group also includes the user as a 'member' attribute.

Version-Release number of selected component (if applicable):
sssd-1.11.6-14.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. prepare an AD server with POSIX attributes, enroll sssd to it
2. make sure the primary group of a user also has the 'member' attribute pointing towards the user
3. run id user

Actual results:
saving group membership fails with:
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists]
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_store_group] (0x0400): Error: 17 (File exists)
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0080): sysdb_store_group failed: [17][File exists].
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem] (0x0040): Failed to save members of group adgrp01

Expected results:
saving group membership succeeds.

Additional info:
It is not typical that the primary group also contains the user as a member. At the same time, we have code that special-cases the AD provider so that also all members of primary group are added as groups the user is a member of, because that's what Windows clients do. This special-case breaks when the AD primary group *also* contains the user as a member.

I think we should simply use ldb permissive control to save the membership.
Comment 1 Jakub Hrozek 2014-08-14 07:57:19 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2406
Comment 4 Jakub Hrozek 2014-08-20 15:40:16 UTC 
Here is a test build:
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7863299

It would be nice if niru or Kaushik could confirm the fix helps.
Comment 5 Nirupama Karandikar 2014-08-21 08:36:04 UTC 
Before Fix : sssd-1.11.6-14.el6.x86_64

uid=70001(aduser1) gid=70001(adgrp01) groups=70001(adgrp01),10000(domain users),70002(adgrp02),70003(adgrp03),70004(adgrp04)
:: [   PASS   ] :: Running 'id aduser1' (Expected 0, got 0)
adgrp01:*:70001:
:: [   FAIL   ] :: Running 'getent group adgrp01 | grep aduser1' (Expected 0, got 1)
adgrp02:*:70002:aduser1
:: [   PASS   ] :: Running 'getent group adgrp02' (Expected 0, got 0)


After applying fix : sssd-1.11.6-23.1.el6.x86_64

uid=70001(aduser1) gid=70001(adgrp01) groups=70001(adgrp01),10000(domain users),70002(adgrp02),70003(adgrp03),70004(adgrp04)
:: [   PASS   ] :: Running 'id aduser1' (Expected 0, got 0)
adgrp01:*:70001:aduser1
:: [   PASS   ] :: Running 'getent group adgrp01 | grep aduser1' (Expected 0, got 0)
adgrp02:*:70002:aduser1
:: [   PASS   ] :: Running 'getent group adgrp02' (Expected 0, got 0)
Comment 6 Jakub Hrozek 2014-08-21 08:42:12 UTC 
Thank you very much for testing, Niru!

I will produce an official build once the patches are merged upstream.
Comment 8 Jakub Hrozek 2014-08-26 14:26:24 UTC 
Fixed upstream:
    master:
        5e195ddf368b705f674ece2faf64261f66e20c23
        bb755dcacd126adad8c60e8cbea11566de67affe 
    sssd-1-11:
        25ff0ec25c40c967e4df7a2b2b3e8ad930218cb5
        2d1e4d2bb90c40dd16c68b71c69c9e46f428a3f6
Comment 10 Kaushik Banerjee 2014-08-28 11:10:21 UTC 
Verified with sssd-1.11.6-28.el6

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug_automation_004: BZ 1130017 ad group membership is empty when id mapping is off
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'id aduser1 | grep  adgrp01 | grep adgrp02 | grep adgrp03' (Expected 0, got 0)
:: [   PASS   ] :: Command 'getent group adgrp01 | grep aduser1' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 22s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bug_automation_004: BZ 1122158 and 1130017 ad group membership is empty when id mapping is off
Comment 11 errata-xmlrpc 2014-10-14 04:49:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html
Note You need to log in before you can comment on or make changes to this bug.