1207720 – id lookup resolves "Domain Local" group and errors appear in domain log

Bug 1207720 - id lookup resolves "Domain Local" group and errors appear in domain log

Summary: id lookup resolves "Domain Local" group and errors appear in domain log

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Slebodnik
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-31 14:42 UTC by Kaushik Banerjee
Modified:	2020-05-02 17:59 UTC (History)
CC List:	11 users (show)
Fixed In Version:	sssd-1.12.4-29.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2015-07-22 06:43:56 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3655	0	None	None	None	2020-05-02 17:59:55 UTC
Red Hat Product Errata	RHBA-2015:1448	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2015-07-20 18:43:53 UTC

Description Kaushik Banerjee 2015-03-31 14:42:17 UTC

Description of problem:
id lookup resolves "Domain Local" group and errors appear in domain log.

Version-Release number of selected component (if applicable):
sssd-1.12.4-25.el6

How reproducible:
Always

Steps to Reproduce:
1. sssd.conf domain section has:
[domain/sssdad.com]
debug_level = 0x7480
id_provider = ad
access_provider = ad
ad_domain = sssdad.com
krb5_realm = SSSDAD.COM
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True

2. Add a group "kaugrp1" with group scope "Domain Local". kau1 user is a member in that group.

3. # id kau1
uid=295201603(kau1) gid=295201603(kau1) groups=295201603(kau1),295200513(domain users),295201604(kaugrp1)


Actual results:
kaugrp1 is shown as a group and following error appears in the domain log:

(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sdap_save_group] (0x4000): AD group [kaugrp1] has type flags 0x80000004.
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sdap_save_group] (0x0400): Filtering AD group [kaugrp1]
...
...
...
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=kaugrp1,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once]
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sysdb_store_group] (0x0400): Error: 17 (File exists)
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists]
(Tue Mar 31 20:00:06 2015) [sssd[be[sssdad.com]]] [sdap_save_group] (0x0080): Failed to save group [kaugrp1]: [File exists]

Expected results:
Domain Local group should not be resolved.

Additional info:

Comment 4 Lukas Slebodnik 2015-04-01 16:31:50 UTC

I have a WIP patch but it need some testing. I would like to avoid another regression.

Comment 5 Jakub Hrozek 2015-04-02 11:41:42 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2614

Comment 6 Jakub Hrozek 2015-04-14 11:18:12 UTC

Fixed upstream:
    master:
        b9fbeb75e7a4f50f98d979a70a710f9221892483
        bad2fc8133d941e5a6c8d8016c9689e039265c61
        5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908 
    sssd-1-12:
        49895bb18508a4f4b83b99d9875e99e17c81285b
        bdd031d274659263db5f28408d8b75c63d3485a0
        cf7047634308c431f4cfbff1d88564668d2a33c7

Comment 8 Kaushik Banerjee 2015-04-15 11:00:52 UTC

Verified with sssd-1.12.4-29.el6

"Domain Local" scoped group is not seen now.

# id kau1
uid=295201630(kau1) gid=295201630(kau1) groups=295201630(kau1),295200513(domain users)

Comment 12 errata-xmlrpc 2015-07-22 06:43:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1448.html

Note You need to log in before you can comment on or make changes to this bug.