Bug 1187192 - IPA initgroups don't work correctly in non-default view
Summary: IPA initgroups don't work correctly in non-default view
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-29 14:16 UTC by Martin Kosek
Modified: 2020-05-02 17:56 UTC (History)
10 users (show)

Fixed In Version: sssd-1.12.2-55.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:35:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3613 0 None None None 2020-05-02 17:56:34 UTC
Red Hat Product Errata RHBA-2015:0441 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Description Martin Kosek 2015-01-29 14:16:51 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2571

When a client is a member of a non-default view, the initgroups operation for IPA users currently doesn't work well, because we don't store the overrideDN attributes automagically.

Comment 2 Jakub Hrozek 2015-01-30 12:33:49 UTC
Fixed upstream:

* master:
 * b2c3722b9a1eaf265f6b102043958f6d4378788c
 * 108db0e3b9e06e530364ef8228634f5e3f6bd3b5
* sssd-1-12:
 * d18bd28fb09f104e2b13382c430247cad731f867
 * 74d708790a202b78242bd2951178f0a2483327be

Comment 4 Steeve Goveas 2015-01-30 19:33:20 UTC
* With un patched version

[root@loki ~]# rpm -q sssd
sssd-1.12.2-52.el7.x86_64

On Client
[root@loki ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@loki ~]# id tuser
uid=1629000008(tuser) gid=1629000008(tuser) groups=1629000008(tuser),1629000010(group2),1629000009(grp1)

On Server
[root@django ~]# ipa idview-add bugview
-----------------------
Added ID View "bugview"
-----------------------
  ID View Name: bugview

[root@django ~]# ipa idview-apply bugview --hosts loki.ipanew.test
-------------------------
Applied ID View "bugview"
-------------------------
  hosts: loki.ipanew.test
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

[root@django ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

On Client
[root@loki ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@loki ~]# id tuser
uid=1629000008(tuser) gid=1629000008(tuser) groups=1629000008(tuser)


* Verified in fixed version

[root@bumblebee ~]# rpm -q sssd
sssd-1.12.2-55.el7.x86_64

[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@bumblebee ~]# id ipauser1
uid=1707800004(ipauser1) gid=1707800004(ipauser1) groups=1707800004(ipauser1),1707800007(ipagroup2),1707800006(ipagroup1)


On Server
[root@vm-idm-019 ~]# ipa idview-show hostview
  ID View Name: hostview

[root@vm-idm-019 ~]# ipa idview-apply hostview --hosts bumblebee.ipaviews.test
--------------------------
Applied ID View "hostview"
--------------------------
  hosts: bumblebee.ipaviews.test
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

[root@vm-idm-019 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

On Client
[root@bumblebee ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start

[root@bumblebee ~]# id ipauser1
uid=1707800004(ipauser1) gid=1707800004(ipauser1) groups=1707800004(ipauser1),1707800007(ipagroup2),1707800006(ipagroup1)

Comment 6 errata-xmlrpc 2015-03-05 10:35:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html


Note You need to log in before you can comment on or make changes to this bug.