Bug 1168904
| Summary: | gid is overridden by uid in default trust view | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> |
| Component: | sssd | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.1 | CC: | drieden, grajaiya, jhrozek, lslebodn, mkosek, mnavrati, mzidek, nsoman, ovasik, pbrezina, preichl, rcritten, sbose, sgoveas, sssd-maint |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.12.2-55.el7 | Doc Type: | Bug Fix |
| Doc Text: |
The following known issue description has been removed from the RHEL 7.1 Beta Release Notes:
Due to the way the IPA client handles users from trusted domains, the UID is also used as a primary GID. If the UID is overridden using the views feature, the UID value is also used for the GID value on IPA clients. No workaround is available at the moment.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:34:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1168850 | ||
Upstream ticket: https://fedorahosted.org/sssd/ticket/2514 Updated Fixed-In-Version to the version which contains the complete fix. Verified in version
[root@sideswipe ~]# rpm -q ipa-server sssd
ipa-server-4.1.0-15.el7.x86_64
sssd-1.12.2-42.el7.x86_64
Server
[root@sideswipe ~]# ipa idoverrideuser-add 'Default Trust View' aduser1 --uid 5555
------------------------------------------
Added User ID override "aduser1"
------------------------------------------
Anchor to override: aduser1
UID: 5555
[root@sideswipe ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@sideswipe ~]# id aduser1
uid=5555(aduser1) gid=1148401313(aduser1) groups=1148401313(aduser1),1148402424(adunigroup1),1148401449(adgroup1),1148402425(adgroup2),1148400513(domain users)
Client
[root@ratchet ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@ratchet ~]# id aduser1
uid=5555(aduser1) gid=1148401313(aduser1) groups=1148401313(aduser1),1148402424(adunigroup1),1148401449(adgroup1),1148402425(adgroup2),1148400513(domain users)
Server
[root@sideswipe ~]# ipa idoverrideuser-mod 'Default Trust View' aduser1 --gidnumber 6666
------------------------------------------------
Modified an User ID override "aduser1"
------------------------------------------------
Anchor to override: aduser1
UID: 5555
GID: 6666
[root@sideswipe ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@sideswipe ~]# id aduser1
uid=5555(aduser1) gid=6666(aduser1) groups=6666(aduser1),1148402424(adunigroup1),1148401449(adgroup1),1148402425(adgroup2),1148400513(domain users)
Client
[root@ratchet ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@ratchet ~]# id aduser1
uid=5555(aduser1) gid=6666(aduser1) groups=6666(aduser1),1148402424(adunigroup1),1148401449(adgroup1),1148402425(adgroup2),1148400513(domain users)
The issue is when uid and gid are same, commands like id, getent, ssh all work on second attempt.
Steps to reproduce 2
On server
[root@vm-idm-019 ~]# ipa idoverrideuser-add 'default trust view' aduser1 --uid 1707800017 --gid 1707800017
------------------------------------------
Added User ID override "aduser1"
------------------------------------------
Anchor to override: aduser1
UID: 1707800017
GID: 1707800017
[root@vm-idm-019 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
On client
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@bumblebee ~]# id aduser1
id: aduser1: no such user
[root@bumblebee ~]# id aduser1
uid=1707800017(aduser1) gid=1707800017(aduser1) groups=1707800017(aduser1),1148402424(adunigroup1),1148401449(adgroup1),1148402425(adgroup2),1148400513(domain users)
Expected Result
id, getent, ssh for aduser with same uid gid in views must work in first attempt
Moving to assigned as the issue is not completely fixed. Additional fixes landed in the latest build 2 more issues pending fixes * group override with --gid does not work on client [root@vm-idm-019 ~]# ipa idoverridegroup-show 'default trust view' adgroup1 Anchor to override: adgroup1 GID: 778899 [root@vm-idm-019 ~]# getent group adgroup1 adgroup1:*:778899:aduser2,aduser1 on client [root@bumblebee ~]# getent group adgroup1 [root@bumblebee ~]# getent group adgroup1 [root@bumblebee ~]# * with universal AD group, client does not list user from child domain On Client [root@bumblebee ~]# getent group adunigroup1 adunigroup1:*:1148402424:aduser1,aduser1.qe On Server [root@vm-idm-019 ~]# ipa idoverridegroup-add 'default trust view' adunigroup1 --group-name testgrp1 ----------------------------------------------- Added Group ID override "adunigroup1" ----------------------------------------------- Anchor to override: adunigroup1 Group name: testgrp1 On Client [root@bumblebee ~]# getent group testgrp1 testgrp1:*:1148402424:aduser1 Moving bug to assigned as per comment 12 Verified in version
sssd-1.12.2-55.el7.x86_64
ipa-server-4.1.0-17.el7.x86_64
* group override with --gid now works on client
On Server
[root@vm-idm-019 ~]# ipa idoverridegroup-add 'default trust view' adgroup1 --gid 999111222
--------------------------------------------
Added Group ID override "adgroup1"
--------------------------------------------
Anchor to override: adgroup1
GID: 999111222
[root@vm-idm-019 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
On Client
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@bumblebee ~]# getent group adgroup1
adgroup1:*:999111222:aduser2,aduser1
* User from child domain in universal AD group, is listed on client
On Server
[root@vm-idm-019 ~]# ipa idoverridegroup-add 'default trust view' adunigroup1 --group-name testgrp1
-----------------------------------------------
Added Group ID override "adunigroup1"
-----------------------------------------------
Anchor to override: adunigroup1
Group name: testgrp1
On Client
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@bumblebee ~]# getent group adunigroup1
testgrp1:*:1148402424:aduser1.qe,aduser1
[root@bumblebee ~]# getent group testgrp1
testgrp1:*:1148402424:aduser1.qe,aduser1
* with same uid and gid, id on client lists all AD groups and IPA groups that user is a member of and works in first attempt
On Server
[root@vm-idm-019 ~]# ipa idoverrideuser-find 'default trust view'
---------------------------
2 User ID overrides matched
---------------------------
Anchor to override: aduser1
UID: 1707800017
GID: 1707800017
Anchor to override: aduser2
User login: test2
----------------------------
Number of entries returned 2
----------------------------
On Client
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@bumblebee ~]# id aduser1
uid=1707800017(aduser1) gid=1707800017(aduser1) groups=1707800017(aduser1),1148400513(domain users),1148401449(adgroup1),1148402425(adgroup2),1707800020(sudogroup)
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@bumblebee ~]# getent passwd aduser1
aduser1:*:1707800017:1707800017:Aduser1 user:/home/adtest.qe/aduser1:
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
* with --login, id, getent, ssh all work in first attempt
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@bumblebee ~]# id test2
uid=1148403710(test2) gid=1148403710(test2) groups=1148403710(test2),1148401449(adgroup1),1707800021(sudogroup2),1148400513(domain users)
[root@bumblebee ~]# id aduser2
uid=1148403710(test2) gid=1148403710(test2) groups=1148403710(test2),1148401449(adgroup1),1707800021(sudogroup2),1148400513(domain users)
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@bumblebee ~]# getent passwd test2
test2:*:1148403710:1148403710:ads2 user:/home/adtest.qe/aduser2:
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@bumblebee ~]# ssh -l test2 `hostname` "id;klist"
test2@bumblebee.ipaviews.test's password:
uid=1148403710(test2) gid=1148403710(test2) groups=1148403710(test2),1148400513(domain users),1148401449(adgroup1),1707800021(sudogroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Ticket cache: KEYRING:persistent:1148403710:krb_ccache_lpasVWS
Default principal: aduser2
Valid starting Expires Service principal
01/30/2015 21:37:23 01/31/2015 07:37:23 krbtgt/ADTEST.QE
renew until 01/31/2015 21:37:23
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html |
Description of problem: On client gid is overidden with the uid set for the user in default trust view Version-Release number of selected component (if applicable): ipa-server-4.1.0-10.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Add trust 2. Add only a uid value for a AD user 3. Clear sssd cache and check user with id command on both server and client. GID on client is same as the UID 4. Add gidnumber to the same user 5. Clear cache and check user with id command Actual results: On Server [root@ibm-x3620m3-01 ~]# ipa idoverrideuser-add 'Default Trust View' aduser1 --uid 5555 ------------------------------------------ Added User ID override "aduser1" ------------------------------------------ Anchor to override: aduser1 UID: 5555 [root@ibm-x3620m3-01 ~]# service sssd stop ; rm -fr /var/lib/sss/{mc,db}/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@ibm-x3620m3-01 ~]# id aduser1 uid=5555(aduser1) gid=1148401313(aduser1) groups=1148401313(aduser1),1148402424(adunigroup1),1148401449(adgroup1),1148402425(adgroup2),1148400513(domain users),1119800008(adgrp) On Client [root@gizmo ~]# id aduser1 uid=5555(aduser1) gid=5555(aduser1) groups=5555(aduser1),1148400513(domain users),1148402424,1148401449,1148402425(adgroup2),1119800008(adgrp) ------------------------------------------------- On Server [root@ibm-x3620m3-01 ~]# ipa idoverrideuser-mod 'Default Trust View' aduser1 --gidnumber 6666 ------------------------------------------------ Modified an User ID override "aduser1" ------------------------------------------------ Anchor to override: aduser1 UID: 5555 GID: 6666 [root@ibm-x3620m3-01 ~]# service sssd stop ; rm -fr /var/lib/sss/{mc,db}/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@ibm-x3620m3-01 ~]# id aduser1 uid=5555(aduser1) gid=6666(aduser1) groups=6666(aduser1),1148402424(adunigroup1),1148401449(adgroup1),1148402425(adgroup2),1148400513(domain users),1119800008(adgrp) On Client [root@gizmo ~]# service sssd stop ; rm -fr /var/lib/sss/{mc,db}/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@gizmo ~]# id aduser1 id: aduser1: no such user [root@gizmo ~]# id aduser1 uid=5555(aduser1) gid=5555(aduser1) groups=5555(aduser1) [root@gizmo ~]# id aduser1 uid=5555(aduser1) gid=5555(aduser1) groups=5555(aduser1) [root@gizmo ~]# service sssd stop ; rm -fr /var/lib/sss/{mc,db}/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@gizmo ~]# id aduser1 id: aduser1: no such user [root@gizmo ~]# id aduser1 uid=5555(aduser1) gid=5555(aduser1) groups=5555(aduser1) Expected results: Additional info: