Bug 1154042 - RHEL6.6 sssd (1.11) doesn't return all group memberships against an IPA server
Summary: RHEL6.6 sssd (1.11) doesn't return all group memberships against an IPA server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1159926 1165074
TreeView+ depends on / blocked
 
Reported: 2014-10-17 11:34 UTC by Christos Triantafyllidis
Modified: 2019-07-11 08:16 UTC (History)
14 users (show)

Fixed In Version: sssd-1.11.6-33.el6
Doc Type: Bug Fix
Doc Text:
Already released via ZStream
Clone Of:
: 1165074 (view as bug list)
Environment:
Last Closed: 2015-07-22 06:41:57 UTC
Target Upstream Version:


Attachments (Terms of Use)
console output with verification steps (7.82 KB, text/plain)
2015-04-08 11:11 UTC, Kaleem
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1448 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-07-20 18:43:53 UTC

Description Christos Triantafyllidis 2014-10-17 11:34:53 UTC
Description of problem:
Customer updated his 6.5 clients to 6.6 and after that not all groups are returned on id or id -G commands.



Version-Release number of selected component (if applicable):
sssd-1.11.6-30.el6.x86_64

How reproducible:
Everytime in customers environment

Steps to Reproduce:
1. Not clear, for customer just updating to 1.11 packages is sufficient

Actual results:
If we clean cache and remove the local cache database the users appear to be members of their primary group only.

Expected results:
All groups should be returned.

Additional info:
getent group groupname does return the correct output and after that the id command returns that group too.

Logs, config, command outputs will follow

Comment 10 Jakub Hrozek 2014-10-21 12:47:38 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2471

Comment 19 Jakub Hrozek 2014-11-05 14:07:31 UTC
* master: 3937736546e2a4b7cccc58fded3efdff9ae690fc

Comment 20 Jakub Hrozek 2014-11-05 14:32:31 UTC
Here are test builds:
https://jhrozek.fedorapeople.org/sssd-test-builds/sssd-6.6-ipa-group-fix/

Please note that this fix applies for users who run the IPA provider only.

If there are problems with the LDAP provider connected to an AD server, you are probably looking for bug https://bugzilla.redhat.com/show_bug.cgi?id=1160713

Comment 32 Kaleem 2015-04-08 11:10:30 UTC
Verified.

SSSD version:
=============

[root@dhcp207-229 ~]# rpm -q sssd
sssd-1.12.4-25.el6.x86_64
[root@dhcp207-229 ~]#

[root@dhcp207-229 ~]# ipa user-show testuser1
  User login: testuser1
  First name: test
  Last name: user1
  Home directory: /home/testuser1
  Login shell: /bin/sh
  Email address: testuser1@testrelm.test
  UID: 1121600001
  GID: 1121600001
  Account disabled: False
  Password: False
  Member of groups: ipausers, testgrp1, testgrp2, testgrp3, testgrp4, testgrp5, testgrp6, testgrp7, testgrp8, testgrp9, testgrp10, testgrp11
  Roles: testgrp1
  Kerberos keys available: False
[root@dhcp207-229 ~]# id testuser1
uid=527200001(testuser1) gid=527200001(testuser1) groups=527200001(testuser1),527200005(testgrp2),527200009(testgrp6),527200004(testgrp1),527200008(testgrp5),527200012(testgrp9),527200007(testgrp4),527200011(testgrp8),527200013(testgrp10),527200006(testgrp3),527200010(testgrp7),527200014(testgrp11)
[root@dhcp207-229 ~]#

Comment 33 Kaleem 2015-04-08 11:11:21 UTC
Created attachment 1012168 [details]
console output with verification steps

Comment 35 errata-xmlrpc 2015-07-22 06:41:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1448.html


Note You need to log in before you can comment on or make changes to this bug.