Red Hat Bugzilla – Bug 1168904
gid is overridden by uid in default trust view
Last modified: 2015-03-05 05:34:37 EST
Description of problem: On client gid is overidden with the uid set for the user in default trust view Version-Release number of selected component (if applicable): ipa-server-4.1.0-10.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Add trust 2. Add only a uid value for a AD user 3. Clear sssd cache and check user with id command on both server and client. GID on client is same as the UID 4. Add gidnumber to the same user 5. Clear cache and check user with id command Actual results: On Server [root@ibm-x3620m3-01 ~]# ipa idoverrideuser-add 'Default Trust View' aduser1@adtest.qe --uid 5555 ------------------------------------------ Added User ID override "aduser1@adtest.qe" ------------------------------------------ Anchor to override: aduser1@adtest.qe UID: 5555 [root@ibm-x3620m3-01 ~]# service sssd stop ; rm -fr /var/lib/sss/{mc,db}/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@ibm-x3620m3-01 ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe) groups=1148401313(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain users@adtest.qe),1119800008(adgrp) On Client [root@gizmo ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=5555(aduser1@adtest.qe) groups=5555(aduser1@adtest.qe),1148400513(domain users@adtest.qe),1148402424,1148401449,1148402425(adgroup2@adtest.qe),1119800008(adgrp) ------------------------------------------------- On Server [root@ibm-x3620m3-01 ~]# ipa idoverrideuser-mod 'Default Trust View' aduser1@adtest.qe --gidnumber 6666 ------------------------------------------------ Modified an User ID override "aduser1@adtest.qe" ------------------------------------------------ Anchor to override: aduser1@adtest.qe UID: 5555 GID: 6666 [root@ibm-x3620m3-01 ~]# service sssd stop ; rm -fr /var/lib/sss/{mc,db}/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@ibm-x3620m3-01 ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=6666(aduser1@adtest.qe) groups=6666(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain users@adtest.qe),1119800008(adgrp) On Client [root@gizmo ~]# service sssd stop ; rm -fr /var/lib/sss/{mc,db}/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@gizmo ~]# id aduser1@adtest.qe id: aduser1@adtest.qe: no such user [root@gizmo ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=5555(aduser1@adtest.qe) groups=5555(aduser1@adtest.qe) [root@gizmo ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=5555(aduser1@adtest.qe) groups=5555(aduser1@adtest.qe) [root@gizmo ~]# service sssd stop ; rm -fr /var/lib/sss/{mc,db}/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@gizmo ~]# id aduser1@adtest.qe id: aduser1@adtest.qe: no such user [root@gizmo ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=5555(aduser1@adtest.qe) groups=5555(aduser1@adtest.qe) Expected results: Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/2514
Updated Fixed-In-Version to the version which contains the complete fix.
Verified in version [root@sideswipe ~]# rpm -q ipa-server sssd ipa-server-4.1.0-15.el7.x86_64 sssd-1.12.2-42.el7.x86_64 Server [root@sideswipe ~]# ipa idoverrideuser-add 'Default Trust View' aduser1@adtest.qe --uid 5555 ------------------------------------------ Added User ID override "aduser1@adtest.qe" ------------------------------------------ Anchor to override: aduser1@adtest.qe UID: 5555 [root@sideswipe ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@sideswipe ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe) groups=1148401313(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain users@adtest.qe) Client [root@ratchet ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@ratchet ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=1148401313(aduser1@adtest.qe) groups=1148401313(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain users@adtest.qe) Server [root@sideswipe ~]# ipa idoverrideuser-mod 'Default Trust View' aduser1@adtest.qe --gidnumber 6666 ------------------------------------------------ Modified an User ID override "aduser1@adtest.qe" ------------------------------------------------ Anchor to override: aduser1@adtest.qe UID: 5555 GID: 6666 [root@sideswipe ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@sideswipe ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=6666(aduser1@adtest.qe) groups=6666(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain users@adtest.qe) Client [root@ratchet ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@ratchet ~]# id aduser1@adtest.qe uid=5555(aduser1@adtest.qe) gid=6666(aduser1@adtest.qe) groups=6666(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain users@adtest.qe)
The issue is when uid and gid are same, commands like id, getent, ssh all work on second attempt. Steps to reproduce 2 On server [root@vm-idm-019 ~]# ipa idoverrideuser-add 'default trust view' aduser1@adtest.qe --uid 1707800017 --gid 1707800017 ------------------------------------------ Added User ID override "aduser1@adtest.qe" ------------------------------------------ Anchor to override: aduser1@adtest.qe UID: 1707800017 GID: 1707800017 [root@vm-idm-019 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service On client [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@bumblebee ~]# id aduser1@adtest.qe id: aduser1@adtest.qe: no such user [root@bumblebee ~]# id aduser1@adtest.qe uid=1707800017(aduser1@adtest.qe) gid=1707800017(aduser1@adtest.qe) groups=1707800017(aduser1@adtest.qe),1148402424(adunigroup1@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1148400513(domain users@adtest.qe) Expected Result id, getent, ssh for aduser with same uid gid in views must work in first attempt
Moving to assigned as the issue is not completely fixed.
Additional fixes landed in the latest build
2 more issues pending fixes * group override with --gid does not work on client [root@vm-idm-019 ~]# ipa idoverridegroup-show 'default trust view' adgroup1@adtest.qe Anchor to override: adgroup1@adtest.qe GID: 778899 [root@vm-idm-019 ~]# getent group adgroup1@adtest.qe adgroup1@adtest.qe:*:778899:aduser2@adtest.qe,aduser1@adtest.qe on client [root@bumblebee ~]# getent group adgroup1@adtest.qe [root@bumblebee ~]# getent group adgroup1@adtest.qe [root@bumblebee ~]# * with universal AD group, client does not list user from child domain On Client [root@bumblebee ~]# getent group adunigroup1@adtest.qe adunigroup1@adtest.qe:*:1148402424:aduser1@adtest.qe,aduser1@pune.adtest.qe On Server [root@vm-idm-019 ~]# ipa idoverridegroup-add 'default trust view' adunigroup1@adtest.qe --group-name testgrp1 ----------------------------------------------- Added Group ID override "adunigroup1@adtest.qe" ----------------------------------------------- Anchor to override: adunigroup1@adtest.qe Group name: testgrp1 On Client [root@bumblebee ~]# getent group testgrp1@adtest.qe testgrp1@adtest.qe:*:1148402424:aduser1@adtest.qe
Moving bug to assigned as per comment 12
Verified in version sssd-1.12.2-55.el7.x86_64 ipa-server-4.1.0-17.el7.x86_64 * group override with --gid now works on client On Server [root@vm-idm-019 ~]# ipa idoverridegroup-add 'default trust view' adgroup1@adtest.qe --gid 999111222 -------------------------------------------- Added Group ID override "adgroup1@adtest.qe" -------------------------------------------- Anchor to override: adgroup1@adtest.qe GID: 999111222 [root@vm-idm-019 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start On Client [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@bumblebee ~]# getent group adgroup1@adtest.qe adgroup1@adtest.qe:*:999111222:aduser2@adtest.qe,aduser1@adtest.qe * User from child domain in universal AD group, is listed on client On Server [root@vm-idm-019 ~]# ipa idoverridegroup-add 'default trust view' adunigroup1@adtest.qe --group-name testgrp1 ----------------------------------------------- Added Group ID override "adunigroup1@adtest.qe" ----------------------------------------------- Anchor to override: adunigroup1@adtest.qe Group name: testgrp1 On Client [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@bumblebee ~]# getent group adunigroup1@adtest.qe testgrp1@adtest.qe:*:1148402424:aduser1@pune.adtest.qe,aduser1@adtest.qe [root@bumblebee ~]# getent group testgrp1@adtest.qe testgrp1@adtest.qe:*:1148402424:aduser1@pune.adtest.qe,aduser1@adtest.qe * with same uid and gid, id on client lists all AD groups and IPA groups that user is a member of and works in first attempt On Server [root@vm-idm-019 ~]# ipa idoverrideuser-find 'default trust view' --------------------------- 2 User ID overrides matched --------------------------- Anchor to override: aduser1@adtest.qe UID: 1707800017 GID: 1707800017 Anchor to override: aduser2@adtest.qe User login: test2 ---------------------------- Number of entries returned 2 ---------------------------- On Client [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@bumblebee ~]# id aduser1@adtest.qe uid=1707800017(aduser1@adtest.qe) gid=1707800017(aduser1@adtest.qe) groups=1707800017(aduser1@adtest.qe),1148400513(domain users@adtest.qe),1148401449(adgroup1@adtest.qe),1148402425(adgroup2@adtest.qe),1707800020(sudogroup) [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@bumblebee ~]# getent passwd aduser1@adtest.qe aduser1@adtest.qe:*:1707800017:1707800017:Aduser1 user:/home/adtest.qe/aduser1: [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start * with --login, id, getent, ssh all work in first attempt [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@bumblebee ~]# id test2@adtest.qe uid=1148403710(test2@adtest.qe) gid=1148403710(test2@adtest.qe) groups=1148403710(test2@adtest.qe),1148401449(adgroup1@adtest.qe),1707800021(sudogroup2),1148400513(domain users@adtest.qe) [root@bumblebee ~]# id aduser2@adtest.qe uid=1148403710(test2@adtest.qe) gid=1148403710(test2@adtest.qe) groups=1148403710(test2@adtest.qe),1148401449(adgroup1@adtest.qe),1707800021(sudogroup2),1148400513(domain users@adtest.qe) [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@bumblebee ~]# getent passwd test2@adtest.qe test2@adtest.qe:*:1148403710:1148403710:ads2 user:/home/adtest.qe/aduser2: [root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@bumblebee ~]# ssh -l test2@adtest.qe `hostname` "id;klist" test2@adtest.qe@bumblebee.ipaviews.test's password: uid=1148403710(test2@adtest.qe) gid=1148403710(test2@adtest.qe) groups=1148403710(test2@adtest.qe),1148400513(domain users@adtest.qe),1148401449(adgroup1@adtest.qe),1707800021(sudogroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Ticket cache: KEYRING:persistent:1148403710:krb_ccache_lpasVWS Default principal: aduser2@ADTEST.QE Valid starting Expires Service principal 01/30/2015 21:37:23 01/31/2015 07:37:23 krbtgt/ADTEST.QE@ADTEST.QE renew until 01/31/2015 21:37:23
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html