Red Hat Bugzilla – Bug 1161741
TokenGroups for LDAP provider breaks in corner cases
Last modified: 2015-03-05 05:34:07 EST
+++ This bug was initially created as a clone of Bug #1160713 +++ This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2483 We tried to speed up processing of initgroup lookups with tokenGroups even for the LDAP provider, but it turns out that there are too many corner cases that we didn't catch during development that break. For instance, groups from other trusted domains might appear in TG and the LDAP provider isn't equipped to handle them. Overall, users who wish to use the added speed benefits of tokenGroups are advised to use the AD provider. --- Additional comment from Jakub Hrozek on 2014-11-05 09:31:56 EST --- To work around this issue, disable the tokenGroups optimization to fall back to plain LDAP lookups: ldap_use_tokengroups = False
* master: 5febf5ed0cfb4ba7665d8c3e36ee6941988da773 * sssd-1-11: 6037341d6d77dc61b11d3d23944c615a96713353
Please let me know if RHEL-7 test builds are needed, I can build those on-demand. For RHEL-6 test builds, see https://bugzilla.redhat.com/show_bug.cgi?id=1160713#c5
Verified in version sssd-1.12.2-28.el7 Snippet of output from beaker automation run: :: [ PASS ] :: Command 'id lkuser01-817348 | grep lkgroup01-817348 | grep lkgroup011-817348' (Expected 0, got 0) :: [ PASS ] :: Command 'id -g lkuser01-817348 | grep 10817348' (Expected 0, got 0) :: [ PASS ] :: Command 'su_success lkuser01-817348 Secret123' (Expected 0, got 0)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html