Bug 1184140 - Users saved throug extop don't have the originalMemberOf attribute
Summary: Users saved throug extop don't have the originalMemberOf attribute
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-20 16:13 UTC by Jakub Hrozek
Modified: 2020-05-02 17:55 UTC (History)
10 users (show)

Fixed In Version: sssd-1.12.2-52.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:35:17 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3602 0 None None None 2020-05-02 17:55:51 UTC
Red Hat Product Errata RHBA-2015:0441 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Description Jakub Hrozek 2015-01-20 16:13:45 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2560

The attribute is used during HBAC checks. Normally it should be populated when the PAC responder is in use, but due to bugs like #2559 it might not be..

Comment 2 Jakub Hrozek 2015-01-20 16:22:16 UTC
A patch is accepted upstream and was confirmed to fix the problem by both development and the user who initially reported the problem with 7.1 Beta packages.

Comment 3 Jakub Hrozek 2015-01-20 16:44:04 UTC
To verify, create an HBAC rule that allows an IPA group. Add an AD group as a member of this IPA group. Add an AD user as a member of the AD group.

Verify that "id username" for the AD user shows the complete group membership, including the IPA group.

Log in as the AD user. Before the patch, the user would be denied access and sssd_be would log an error DEBUG message saying "No groups for user".

The patched packages should allow the user to log in as appropriate.

Comment 4 Jakub Hrozek 2015-01-20 19:02:55 UTC
    master:
        7543052f562f157f7b17fdc46a6777d80c0cb3bd
        a4d64002b5ca763622bde240d27797d361ba0388
        5f4d896ec8e06476f4282b562b1044de14c48ecf 
    sssd-1-12:
        dcc99fc87bc7ec44fdc8ec897218384cc274d4dd
        2eb78055d7a344c0ef58adbaa84dac86df13174e
        70ec6df14be2ddc26147095e260b4f9c7e606a6b

Comment 6 Jakub Hrozek 2015-01-21 10:59:12 UTC
Additional patch landed in -45

Comment 7 Jakub Hrozek 2015-01-27 18:44:18 UTC
Additional fixes landed in the latest build.

Comment 8 Scott Poore 2015-01-27 23:38:50 UTC
Verified.

Version ::

sssd-1.12.2-52.el7.x86_64

Results ::

[root@vm7 sssd]# ipa group-add --desc=0 hbacgroup2
------------------------
Added group "hbacgroup2"
------------------------
  Group name: hbacgroup2
  Description: 0
  GID: 1436400005

[root@vm7 sssd]# ipa group-add --desc=0 hbacgroup2_external --external
---------------------------------
Added group "hbacgroup2_external"
---------------------------------
  Group name: hbacgroup2_external
  Description: 0
[root@vm7 sssd]# ipa group-add-member hbacgroup2 --groups=hbacgroup2_external
  Group name: hbacgroup2
  Description: 0
  GID: 1436400005
  Member groups: hbacgroup2_external
-------------------------
Number of members added 1
-------------------------

[root@vm7 sssd]# ipa group-add-member hbacgroup2_external --external=mygroup2.com --users='' --groups=''
  Group name: hbacgroup2_external
  Description: 0
  External member: S-1-5-21-663451879-2037396169-3163888224-1125
  Member of groups: hbacgroup2
-------------------------
Number of members added 1
-------------------------

[root@vm7 sssd]# ipa hbacrule-add-user hbactest --groups=hbacgroup2
  Rule name: hbactest
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: hbacgroup, hbacgroup2
-------------------------
Number of members added 1
-------------------------

[root@vm7 sssd]# ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------

[root@vm7 sssd]# id 'ADROOT1\myuser2'
uid=1108801126(myuser2.com) gid=1108801126(myuser2.com) groups=1108801126(myuser2.com),1108800513(domain users.com),1108801125(mygroup2.com),1436400005(hbacgroup2)

[root@vm7 sssd]# ssh -l 'ADROOT1\myuser2' $(hostname)
ADROOT1\myuser2.example.test's password: 
Creating home directory for ADROOT1\myuser2.

-sh-4.2$ id
uid=1108801126(myuser2.com) gid=1108801126(myuser2.com) groups=1108801126(myuser2.com),1108800513(domain users.com),1108801125(mygroup2.com),1436400005(hbacgroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@vm7 sssd]# cd /var/log/sssd
[root@vm7 sssd]# grep "no groups" *
[root@vm7 sssd]# grep "no groups" /var/log/messages 
[root@vm7 sssd]# grep "no groups" /var/log/secure 
[root@vm7 sssd]#

Comment 10 errata-xmlrpc 2015-03-05 10:35:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html


Note You need to log in before you can comment on or make changes to this bug.