Bug 1207720 - id lookup resolves "Domain Local" group and errors appear in domain log
Summary: id lookup resolves "Domain Local" group and errors appear in domain log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Slebodnik
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-31 14:42 UTC by Kaushik Banerjee
Modified: 2020-05-02 17:59 UTC (History)
11 users (show)

Fixed In Version: sssd-1.12.4-29.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2015-07-22 06:43:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3655 0 None None None 2020-05-02 17:59:55 UTC
Red Hat Product Errata RHBA-2015:1448 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-07-20 18:43:53 UTC

Description Kaushik Banerjee 2015-03-31 14:42:17 UTC
Description of problem:
id lookup resolves "Domain Local" group and errors appear in domain log.

Version-Release number of selected component (if applicable):
sssd-1.12.4-25.el6

How reproducible:
Always

Steps to Reproduce:
1. sssd.conf domain section has:
[domain/sssdad.com]
debug_level = 0x7480
id_provider = ad
access_provider = ad
ad_domain = sssdad.com
krb5_realm = SSSDAD.COM
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True

2. Add a group "kaugrp1" with group scope "Domain Local". kau1 user is a member in that group.

3. # id kau1
uid=295201603(kau1) gid=295201603(kau1) groups=295201603(kau1),295200513(domain users),295201604(kaugrp1)


Actual results:
kaugrp1 is shown as a group and following error appears in the domain log:

(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sdap_save_group] (0x4000): AD group [kaugrp1] has type flags 0x80000004.
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sdap_save_group] (0x0400): Filtering AD group [kaugrp1]
...
...
...
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=kaugrp1,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once]
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sysdb_store_group] (0x0400): Error: 17 (File exists)
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists]
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sdap_save_group] (0x0080): Failed to save group [kaugrp1]: [File exists]

Expected results:
Domain Local group should not be resolved.

Additional info:

Comment 4 Lukas Slebodnik 2015-04-01 16:31:50 UTC
I have a WIP patch but it need some testing. I would like to avoid another regression.

Comment 5 Jakub Hrozek 2015-04-02 11:41:42 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2614

Comment 6 Jakub Hrozek 2015-04-14 11:18:12 UTC
Fixed upstream:
    master:
        b9fbeb75e7a4f50f98d979a70a710f9221892483
        bad2fc8133d941e5a6c8d8016c9689e039265c61
        5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908 
    sssd-1-12:
        49895bb18508a4f4b83b99d9875e99e17c81285b
        bdd031d274659263db5f28408d8b75c63d3485a0
        cf7047634308c431f4cfbff1d88564668d2a33c7

Comment 8 Kaushik Banerjee 2015-04-15 11:00:52 UTC
Verified with sssd-1.12.4-29.el6

"Domain Local" scoped group is not seen now.

# id kau1
uid=295201630(kau1) gid=295201630(kau1) groups=295201630(kau1),295200513(domain users)

Comment 12 errata-xmlrpc 2015-07-22 06:43:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1448.html


Note You need to log in before you can comment on or make changes to this bug.