Bug 1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user private group from server
Summary: Fedora 21, FreeIPA 4.0.2: sssd does not find user private group from server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F21BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2014-09-10 05:30 UTC by Adam Williamson
Modified: 2020-05-02 17:48 UTC (History)
10 users (show)

Fixed In Version: sssd-1.12.1-2.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-03 03:58:18 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3478 0 None None None 2020-05-02 17:48:23 UTC

Description Adam Williamson 2014-09-10 05:30:38 UTC
I'm hitting https://fedorahosted.org/sssd/ticket/2436 in a clean test Fedora 21 Alpha (server) / Fedora 21 Alpha (client) deployment I'm running here: the client can't see a test user account's private user group. I think the bug only happens so long as a user isn't a member of any public group, but I can definitely reproduce it with a clean and controllable test scenario.

Proposing as a freeze exception, as we want FreeIPA to work as well as possible for Alpha release and not correctly handling group membership could be a problem.

Comment 1 Jakub Hrozek 2014-09-10 08:26:56 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2436

Comment 2 Adam Williamson 2014-09-10 18:29:42 UTC
Discussed at 2014-09-10 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-09-10/f21-blocker-review.2014-09-10-16.07.log.txt . We agreed to punt on this one for now, as we need to see how sensitive the fix is, and it'd also be good to have a more solid idea of the practical consequences of the bug (I was too busy working out the cause to take time to find out what it could actually break).

Comment 3 Adam Williamson 2014-09-11 02:34:32 UTC
New testing indicates this is actually a regression in https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-1.fc21 so far as F21 is concerned, so does not need FE status as that update is in u-t.

Comment 4 Alexander Bokovoy 2014-09-12 19:13:59 UTC
Please note that we need 1.12.1+fix for this bug in F21 beta to allow proper functioning of FreeIPA clients against FreeIPA 4.0.3 server. The fixes in SSSD 1.12.1 are important for AD trust integration (cross-domain group members support) and operation against FreeIPA LDAP server with tightened ACIs (default in FreeIPA 4.0).

Comment 5 Fedora Blocker Bugs Application 2014-09-12 19:21:02 UTC
Proposed as a Blocker for 21-alpha by Fedora user sgallagh using the blocker tracking app because:

 "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain."

According to the most recent comment on that BZ: "Please note that we need 1.12.1+fix for this bug in F21 beta to allow proper functioning of FreeIPA clients against FreeIPA 4.0.3 server. The fixes in SSSD 1.12.1 are important for AD trust integration (cross-domain group members support) and operation against FreeIPA LDAP server with tightened ACIs (default in FreeIPA 4.0)."

Comment 6 Stephen Gallagher 2014-09-12 19:36:18 UTC
I misunderstood the issue. It has been explained to me thusly:

(03:32:37 PM) ab: 1. SSSD < 1.12.1 will not work against trusted AD forests where there are users are members of groups from different domains. This is fixed in 1.12.1 but will not prevent pure Linux environment.
(03:33:23 PM) ab: 2. SSSD 1.12.1 fails against FreeIPA <= 4.0.2 as per 1139962


1.12.0 is currently in the stable repositories (for Alpha). This means it will have a bug in limited cases when in AD trust, but this is not a blocker. However, the updates-testing version 1.12.1 has a bug that must be fixed before we ship Beta. Updating the Blocker status accordingly.

Comment 7 Jakub Hrozek 2014-09-14 10:44:21 UTC
The patch has been acked on the sssd-devel list. We've been running the Red Hat QE test suite on packages that include the fix to make sure we didn't regress again -- however, the RH internal test bed (beaker) wasn't too stable on Thu and Fri. So we reverted to running the tests semi-manually on a reserved test machines, which takes time.

I plan on pushing the patch on Monday at the latest.

Comment 8 Jakub Hrozek 2014-09-15 08:26:20 UTC
    master:
        6f91c61426c8cfbfec52d5e77ae4650007694e69
        7ba70236daccb48432350147d0560b3302518cee 
    sssd-1-11:
        cfa74fcb5f6ba23f41a9ddaa76c3ebae6156da86
        9e99c000a4e2647328e71b4db272b4b73a7189c5

Comment 9 Fedora Update System 2014-09-15 09:14:49 UTC
sssd-1.12.1-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-2.fc21

Comment 10 Fedora Update System 2014-09-16 18:44:04 UTC
Package sssd-1.12.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.12.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-2.fc21
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-10-03 03:58:18 UTC
sssd-1.12.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.