1139044 – RHEL6.6 ipa user private group not found

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1139044 - RHEL6.6 ipa user private group not found

Summary: RHEL6.6 ipa user private group not found

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-07 19:26 UTC by Scott Poore
Modified:	2020-05-02 17:48 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-1.11.6-30.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 04:49:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3478	0	None	None	None	2020-05-02 17:48:28 UTC
Red Hat Product Errata	RHBA-2014:1375	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2014-10-14 01:06:25 UTC

Description Scott Poore 2014-09-07 19:26:05 UTC

Description of problem:

In IPA on RHEL6, I see errors logging in as a user:

[root@ipa slapd-EXAMPLE-COM]# ssh -l ipauser1 $(hostname)
ipauser1.com's password: 
Could not chdir to home directory /home/ipauser1: No such file or directory
id: cannot find name for group ID 982000001
-sh-4.1$ exit

From sssd log (from IPA client here) I see:

(Sun Sep  7 13:50:26 2014) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipauser1)(objectclass=groupofnames)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=example,dc=com].

Checking the group info in IPA:

[root@ipa slapd-EXAMPLE-COM]# ipa group-show ipauser1 --all --raw
  dn: cn=ipauser1,cn=groups,cn=accounts,dc=example,dc=com
  cn: ipauser1
  description: User private group for ipauser1
  gidnumber: 982000001
  ipauniqueid: bbef789c-36be-11e4-a38e-0000c0a87a65
  mepmanagedby: uid=ipauser1,cn=users,cn=accounts,dc=example,dc=com
  objectclass: posixgroup
  objectclass: ipaobject
  objectclass: mepManagedEntry
  objectclass: top

I do not see objectclass groupofnames.

If I add that, I can start seeing user private group:

[root@ipa slapd-EXAMPLE-COM]# ldapmodify  -D "cn=Directory Manager" -w Secret123 <<EOF
dn: cn=ipauser1,cn=groups,cn=accounts,dc=example,dc=com
add: objectClass
objectClass: groupofnames
EOF

modifying entry "cn=ipauser1,cn=groups,cn=accounts,dc=example,dc=com"

[root@ipa slapd-EXAMPLE-COM]# getent group ipauser1
ipauser1:*:982000001:
[root@ipa slapd-EXAMPLE-COM]# ssh -l ipauser1 $(hostname)
ipauser1.com's password: 
Last login: Sun Sep  7 14:08:14 2014 from ipa.example.com
Could not chdir to home directory /home/ipauser1: No such file or directory
-sh-4.1$ 


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-42.el6.x86_64
sssd-1.11.6-29.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1. On RHEL6.6 server setup IPA server wtih DNS (ipa-server-install --setup-dns --forwarder=<IP> ...)
2. ipa user-add ipauser1 --first=f --last=l --password
3. kinit ipauser1 # set password
4. getent group ipauser1
5. ssh -l ipauser1 $(hostname)


Actual results:
cannot see user private group for ipauser1.

Expected results:
can see upg for ipauser1 without having to add groupaddnames manually


Additional info:

Comment 2 Rob Crittenden 2014-09-09 13:12:42 UTC

As a historical note, it was an architectual decision that user-private groups do not have the groupofnames objectclass. This is because this group can have no members.

Comment 3 Jakub Hrozek 2014-09-09 22:38:32 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2436

Comment 4 Jakub Hrozek 2014-09-15 08:26:03 UTC

Pushed upstream:
    master:
        6f91c61426c8cfbfec52d5e77ae4650007694e69
        7ba70236daccb48432350147d0560b3302518cee 
    sssd-1-11:
        cfa74fcb5f6ba23f41a9ddaa76c3ebae6156da86
        9e99c000a4e2647328e71b4db272b4b73a7189c5

Comment 6 Scott Poore 2014-09-15 21:55:37 UTC

Verified.

First, confirmed bug:

[root@rhel6-1 yum.local.d]# ipa user-add bz1139044user1 --first=f --last=l
---------------------------
Added user "bz1139044user1"
---------------------------
  User login: bz1139044user1
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/bz1139044user1
  GECOS field: f l
  Login shell: /bin/sh
  Kerberos principal: bz1139044user1
  Email address: bz1139044user1
  UID: 1145200001
  GID: 1145200001
  Password: False
  Kerberos keys available: False

[root@rhel6-1 yum.local.d]# ipa passwd bz1139044user1
New Password: 
Enter New Password again to verify: 
---------------------------------------------------
Changed password for "bz1139044user1"
---------------------------------------------------

[root@rhel6-1 yum.local.d]# kinit bz1139044user1
Password for bz1139044user1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel6-1 yum.local.d]# ssh -l bz1139044user1 $(hostname)
Could not chdir to home directory /home/bz1139044user1: No such file or directory
id: cannot find name for group ID 1145200001

-sh-4.1$ id
uid=1145200001(bz1139044user1) gid=1145200001 groups=1145200001 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ exit

Then update SSSD:

[root@rhel6-1 yum.repos.d]# yum update sssd
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Update Process
beaker-client                                                                   | 1.5 kB     00:00     
beaker-client/primary                                                           |  12 kB     00:00     
beaker-client                                                                                    55/55
beaker-rhel-6.6-latest-optional                                                 | 3.8 kB     00:00     
beaker-rhel-6.6-latest-optional/primary_db                                      | 1.2 MB     00:02     
beaker-rhel-6.6-latest-server                                                   | 4.1 kB     00:00     
beaker-rhel-6.6-latest-server/primary_db                                        | 3.1 MB     00:04     
mylocal                                                                         | 2.9 kB     00:00 ... 
mylocal/primary_db                                                              |  47 kB     00:00 ... 
Resolving Dependencies
--> Running transaction check
---> Package sssd.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd.x86_64 0:1.11.6-30.el6 will be an update
--> Processing Dependency: sssd-proxy = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-ldap = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-krb5 = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-ipa = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-common-pac = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-common = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: sssd-ad = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Processing Dependency: python-sssdconfig = 1.11.6-30.el6 for package: sssd-1.11.6-30.el6.x86_64
--> Running transaction check
---> Package python-sssdconfig.noarch 0:1.11.6-29.el6 will be updated
---> Package python-sssdconfig.noarch 0:1.11.6-30.el6 will be an update
---> Package sssd-ad.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-ad.x86_64 0:1.11.6-30.el6 will be an update
--> Processing Dependency: sssd-krb5-common = 1.11.6-30.el6 for package: sssd-ad-1.11.6-30.el6.x86_64
---> Package sssd-common.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-common.x86_64 0:1.11.6-30.el6 will be an update
--> Processing Dependency: sssd-client(x86-64) = 1.11.6-30.el6 for package: sssd-common-1.11.6-30.el6.x86_64
--> Processing Dependency: libsss_idmap(x86-64) = 1.11.6-30.el6 for package: sssd-common-1.11.6-30.el6.x86_64
---> Package sssd-common-pac.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-common-pac.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-ipa.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-ipa.x86_64 0:1.11.6-30.el6 will be an update
--> Processing Dependency: libipa_hbac(x86-64) = 1.11.6-30.el6 for package: sssd-ipa-1.11.6-30.el6.x86_64
---> Package sssd-krb5.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-krb5.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-ldap.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-ldap.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-proxy.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-proxy.x86_64 0:1.11.6-30.el6 will be an update
--> Running transaction check
---> Package libipa_hbac.x86_64 0:1.11.6-29.el6 will be updated
--> Processing Dependency: libipa_hbac = 1.11.6-29.el6 for package: libipa_hbac-python-1.11.6-29.el6.x86_64
---> Package libipa_hbac.x86_64 0:1.11.6-30.el6 will be an update
---> Package libsss_idmap.x86_64 0:1.11.6-29.el6 will be updated
---> Package libsss_idmap.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-client.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-client.x86_64 0:1.11.6-30.el6 will be an update
---> Package sssd-krb5-common.x86_64 0:1.11.6-29.el6 will be updated
---> Package sssd-krb5-common.x86_64 0:1.11.6-30.el6 will be an update
--> Running transaction check
---> Package libipa_hbac-python.x86_64 0:1.11.6-29.el6 will be updated
---> Package libipa_hbac-python.x86_64 0:1.11.6-30.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                        Arch               Version                   Repository           Size
=======================================================================================================
Updating:
 sssd                           x86_64             1.11.6-30.el6             mylocal              87 k
Updating for dependencies:
 libipa_hbac                    x86_64             1.11.6-30.el6             mylocal              92 k
 libipa_hbac-python             x86_64             1.11.6-30.el6             mylocal              87 k
 libsss_idmap                   x86_64             1.11.6-30.el6             mylocal              97 k
 python-sssdconfig              noarch             1.11.6-30.el6             mylocal             119 k
 sssd-ad                        x86_64             1.11.6-30.el6             mylocal             141 k
 sssd-client                    x86_64             1.11.6-30.el6             mylocal             127 k
 sssd-common                    x86_64             1.11.6-30.el6             mylocal             831 k
 sssd-common-pac                x86_64             1.11.6-30.el6             mylocal             120 k
 sssd-ipa                       x86_64             1.11.6-30.el6             mylocal             194 k
 sssd-krb5                      x86_64             1.11.6-30.el6             mylocal             109 k
 sssd-krb5-common               x86_64             1.11.6-30.el6             mylocal             159 k
 sssd-ldap                      x86_64             1.11.6-30.el6             mylocal             166 k
 sssd-proxy                     x86_64             1.11.6-30.el6             mylocal             115 k

Transaction Summary
=======================================================================================================
Upgrade      14 Package(s)

Total download size: 2.4 M
Is this ok [y/N]: y
Downloading Packages:
-------------------------------------------------------------------------------------------------------
Total                                                                   72 MB/s | 2.4 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : libsss_idmap-1.11.6-30.el6.x86_64                                                  1/28 
  Updating   : libipa_hbac-1.11.6-30.el6.x86_64                                                   2/28 
  Updating   : python-sssdconfig-1.11.6-30.el6.noarch                                             3/28 
  Updating   : sssd-client-1.11.6-30.el6.x86_64                                                   4/28 
  Updating   : sssd-common-1.11.6-30.el6.x86_64                                                   5/28 
  Updating   : sssd-krb5-common-1.11.6-30.el6.x86_64                                              6/28 
  Updating   : sssd-common-pac-1.11.6-30.el6.x86_64                                               7/28 
  Updating   : sssd-ad-1.11.6-30.el6.x86_64                                                       8/28 
  Updating   : sssd-ipa-1.11.6-30.el6.x86_64                                                      9/28 
  Updating   : sssd-ldap-1.11.6-30.el6.x86_64                                                    10/28 
  Updating   : sssd-krb5-1.11.6-30.el6.x86_64                                                    11/28 
  Updating   : sssd-proxy-1.11.6-30.el6.x86_64                                                   12/28 
  Updating   : sssd-1.11.6-30.el6.x86_64                                                         13/28 
  Updating   : libipa_hbac-python-1.11.6-30.el6.x86_64                                           14/28 
  Cleanup    : sssd-1.11.6-29.el6.x86_64                                                         15/28 
  Cleanup    : sssd-ipa-1.11.6-29.el6.x86_64                                                     16/28 
  Cleanup    : sssd-ad-1.11.6-29.el6.x86_64                                                      17/28 
  Cleanup    : sssd-common-pac-1.11.6-29.el6.x86_64                                              18/28 
  Cleanup    : sssd-krb5-1.11.6-29.el6.x86_64                                                    19/28 
  Cleanup    : sssd-ldap-1.11.6-29.el6.x86_64                                                    20/28 
  Cleanup    : sssd-krb5-common-1.11.6-29.el6.x86_64                                             21/28 
  Cleanup    : sssd-proxy-1.11.6-29.el6.x86_64                                                   22/28 
  Cleanup    : sssd-common-1.11.6-29.el6.x86_64                                                  23/28 
  Cleanup    : libipa_hbac-python-1.11.6-29.el6.x86_64                                           24/28 
  Cleanup    : python-sssdconfig-1.11.6-29.el6.noarch                                            25/28 
  Cleanup    : libipa_hbac-1.11.6-29.el6.x86_64                                                  26/28 
  Cleanup    : libsss_idmap-1.11.6-29.el6.x86_64                                                 27/28 
  Cleanup    : sssd-client-1.11.6-29.el6.x86_64                                                  28/28 
  Verifying  : sssd-client-1.11.6-30.el6.x86_64                                                   1/28 
  Verifying  : sssd-common-1.11.6-30.el6.x86_64                                                   2/28 
  Verifying  : sssd-common-pac-1.11.6-30.el6.x86_64                                               3/28 
  Verifying  : sssd-1.11.6-30.el6.x86_64                                                          4/28 
  Verifying  : libipa_hbac-python-1.11.6-30.el6.x86_64                                            5/28 
  Verifying  : sssd-ldap-1.11.6-30.el6.x86_64                                                     6/28 
  Verifying  : sssd-krb5-1.11.6-30.el6.x86_64                                                     7/28 
  Verifying  : libsss_idmap-1.11.6-30.el6.x86_64                                                  8/28 
  Verifying  : sssd-proxy-1.11.6-30.el6.x86_64                                                    9/28 
  Verifying  : sssd-krb5-common-1.11.6-30.el6.x86_64                                             10/28 
  Verifying  : sssd-ad-1.11.6-30.el6.x86_64                                                      11/28 
  Verifying  : libipa_hbac-1.11.6-30.el6.x86_64                                                  12/28 
  Verifying  : python-sssdconfig-1.11.6-30.el6.noarch                                            13/28 
  Verifying  : sssd-ipa-1.11.6-30.el6.x86_64                                                     14/28 
  Verifying  : sssd-ad-1.11.6-29.el6.x86_64                                                      15/28 
  Verifying  : sssd-krb5-common-1.11.6-29.el6.x86_64                                             16/28 
  Verifying  : python-sssdconfig-1.11.6-29.el6.noarch                                            17/28 
  Verifying  : libipa_hbac-1.11.6-29.el6.x86_64                                                  18/28 
  Verifying  : sssd-proxy-1.11.6-29.el6.x86_64                                                   19/28 
  Verifying  : libsss_idmap-1.11.6-29.el6.x86_64                                                 20/28 
  Verifying  : sssd-ldap-1.11.6-29.el6.x86_64                                                    21/28 
  Verifying  : sssd-krb5-1.11.6-29.el6.x86_64                                                    22/28 
  Verifying  : libipa_hbac-python-1.11.6-29.el6.x86_64                                           23/28 
  Verifying  : sssd-common-1.11.6-29.el6.x86_64                                                  24/28 
  Verifying  : sssd-1.11.6-29.el6.x86_64                                                         25/28 
  Verifying  : sssd-client-1.11.6-29.el6.x86_64                                                  26/28 
  Verifying  : sssd-common-pac-1.11.6-29.el6.x86_64                                              27/28 
  Verifying  : sssd-ipa-1.11.6-29.el6.x86_64                                                     28/28 

Updated:
  sssd.x86_64 0:1.11.6-30.el6                                                                          

Dependency Updated:
  libipa_hbac.x86_64 0:1.11.6-30.el6                libipa_hbac-python.x86_64 0:1.11.6-30.el6          
  libsss_idmap.x86_64 0:1.11.6-30.el6               python-sssdconfig.noarch 0:1.11.6-30.el6           
  sssd-ad.x86_64 0:1.11.6-30.el6                    sssd-client.x86_64 0:1.11.6-30.el6                 
  sssd-common.x86_64 0:1.11.6-30.el6                sssd-common-pac.x86_64 0:1.11.6-30.el6             
  sssd-ipa.x86_64 0:1.11.6-30.el6                   sssd-krb5.x86_64 0:1.11.6-30.el6                   
  sssd-krb5-common.x86_64 0:1.11.6-30.el6           sssd-ldap.x86_64 0:1.11.6-30.el6                   
  sssd-proxy.x86_64 0:1.11.6-30.el6                

Complete!

Then verify the actual fix works:

[root@rhel6-1 yum.repos.d]# echo Secret123| kinit bz1139044user1
Password for bz1139044user1: 

[root@rhel6-1 yum.repos.d]# ssh -l bz1139044user1 $(hostname) id
Could not chdir to home directory /home/bz1139044user1: No such file or directory
uid=1145200001(bz1139044user1) gid=1145200001(bz1139044user1) groups=1145200001(bz1139044user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@rhel6-1 yum.repos.d]# 

I can see the private group name resolved above.

Comment 7 errata-xmlrpc 2014-10-14 04:49:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html

Note You need to log in before you can comment on or make changes to this bug.