Red Hat Bugzilla – Bug 1171383
getent fails for posix group with AD users after login
Last modified: 2015-09-29 02:50:57 EDT
Description of problem: After AD users login to ipa client, getent for that AD users group should show the users as members of that group Version-Release number of selected component (if applicable): sssd-1.12.2-28.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Install IPA 2. Add Trust with AD 3. Add AD users to a Posix group via an external group 4. Login as AD users on the ipa client 5. Check getent for the posix group Actual results: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_trust_func_user_0017: ipa group shows ad users fully qualified :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ BEGIN ] :: Running 'ssh_with_password aduser1@adtest.qe vm-idm-044.stv1911.test Secret123' :: [ 13:39:19 ] :: Running: ssh -l "aduser1@adtest.qe" vm-idm-044.stv1911.test "echo 'login successful' :: [ 13:39:24 ] :: ssh login successful :: [ PASS ] :: Command 'ssh_with_password aduser1@adtest.qe vm-idm-044.stv1911.test Secret123' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ssh_with_password aduser2@adtest.qe vm-idm-044.stv1911.test Secret123' :: [ 13:39:25 ] :: Running: ssh -l "aduser2@adtest.qe" vm-idm-044.stv1911.test "echo 'login successful' :: [ 13:39:28 ] :: ssh login successful :: [ PASS ] :: Command 'ssh_with_password aduser2@adtest.qe vm-idm-044.stv1911.test Secret123' (Expected 0, got 0) :: [ BEGIN ] :: Running 'sleep 10' :: [ PASS ] :: Command 'sleep 10' (Expected 0, got 0) :: [ BEGIN ] :: Running 'getent group tgroup5 > ipa_trust_func_user_0017.vOqzFP 2>&1' :: [ PASS ] :: Command 'getent group tgroup5 > ipa_trust_func_user_0017.vOqzFP 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat ipa_trust_func_user_0017.vOqzFP' tgroup5:*:370800008:aduser2@adtest.qe :: [ PASS ] :: Command 'cat ipa_trust_func_user_0017.vOqzFP' (Expected 0, got 0) :: [ FAIL ] :: File 'ipa_trust_func_user_0017.vOqzFP' should contain 'aduser1@adtest.qe' :: [ PASS ] :: File 'ipa_trust_func_user_0017.vOqzFP' should contain 'aduser2@adtest.qe' Expected results: getent for posix group should show both AD members Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/2524
Verified in version ipa-server-4.1.0-13.el7.x86_64 sssd-ipa-1.12.2-39.el7.x86_64 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_trust_func_user_0017: ipa group shows ad users fully qualified :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ BEGIN ] :: Running 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Command 'service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ssh_with_password aduser1@adtest.qe vm-idm-013.stv1911.test Secret123' :: [ 21:04:44 ] :: Running: ssh -l "aduser1@adtest.qe" vm-idm-013.stv1911.test "echo 'login successful' MARK-LWD-LOOP -- 2015-01-07 21:04:48 -- :: [ 21:04:51 ] :: ssh login successful :: [ PASS ] :: Command 'ssh_with_password aduser1@adtest.qe vm-idm-013.stv1911.test Secret123' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ssh_with_password aduser2@adtest.qe vm-idm-013.stv1911.test Secret123' :: [ 21:04:51 ] :: Running: ssh -l "aduser2@adtest.qe" vm-idm-013.stv1911.test "echo 'login successful' :: [ 21:04:55 ] :: ssh login successful :: [ PASS ] :: Command 'ssh_with_password aduser2@adtest.qe vm-idm-013.stv1911.test Secret123' (Expected 0, got 0) :: [ BEGIN ] :: Running 'sleep 10' :: [ PASS ] :: Command 'sleep 10' (Expected 0, got 0) :: [ BEGIN ] :: Running 'getent group tgroup5 > ipa_trust_func_user_0017.eVxB4F 2>&1' :: [ PASS ] :: Command 'getent group tgroup5 > ipa_trust_func_user_0017.eVxB4F 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'cat ipa_trust_func_user_0017.eVxB4F' tgroup5:*:761000008:aduser1@adtest.qe,aduser2@adtest.qe :: [ PASS ] :: Command 'cat ipa_trust_func_user_0017.eVxB4F' (Expected 0, got 0) :: [ PASS ] :: File 'ipa_trust_func_user_0017.eVxB4F' should contain 'aduser1@adtest.qe' :: [ PASS ] :: File 'ipa_trust_func_user_0017.eVxB4F' should contain 'aduser2@adtest.qe'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html