Bug 1214719 - Group resolution is inconsistent with group overrides
Summary: Group resolution is inconsistent with group overrides
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On: 1213947
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-23 12:44 UTC by Martin Kosek
Modified: 2020-05-02 18:02 UTC (History)
13 users (show)

Fixed In Version: sssd-1.13.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1213947
Environment:
Last Closed: 2015-11-19 11:38:22 UTC
Target Upstream Version:


Attachments (Terms of Use)
Verification Steps (8.04 KB, text/plain)
2015-10-14 10:24 UTC, Sudhir Menon
no flags Details


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3674 None None None 2020-05-02 18:02:13 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Comment 1 Jakub Hrozek 2015-04-24 14:28:14 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2633

Comment 2 Jakub Hrozek 2015-05-06 04:01:57 UTC
Fixed upstream:
    master:
        2263c6dd1242c92253240f4998c86a04b6a0ca3a
        145578006684481434ced78461ab8d1c3570f478
        cffe3135f29c737f2598f3c1384bfba1694fb843
        e87badc0f6fb20a443cf12bde9582ecbc2aef727 
    sssd-1-12:
        eaf656843831d579f30f94154d88aba2201c1712
        58a19d50888b1a7da0ee78b49e7d3dcbebc8614d
        f643fadbd072a9d3725f5f750340d5b13628ce6a
        24905d4ecbf210687e385449448f5a5ec97d2833

Comment 4 Sudhir Menon 2015-10-01 07:15:20 UTC
Jakub,

Can you please confirm the below observations look good with respect to the fix.

Observations:
Running getent for the group on an empty cache applies the override but id for the user resolves all group memberships.

1. [root@ipa01 ~]# ipa idoverridegroup-add 'default trust view' adgroup1@test.in
------------------------------------------
Added Group ID override "adgroup1@test.in"
------------------------------------------
Anchor to override: adgroup1@test.in

2. [root@ipa01 ~]# ipa idoverridegroup-add 'default trust view' adgroup1@pune.test.in
-----------------------------------------------
Added Group ID override "adgroup1@pune.test.in"
-----------------------------------------------
Anchor to override: adgroup1@pune.test.in

3. [root@ipa01 ~]# ipa idoverridegroup-find 'default trust view'
----------------------------
2 Group ID overrides matched
----------------------------
Anchor to override: adgroup1@pune.test.in
Anchor to override: adgroup1@test.in
----------------------------
Number of entries returned 2
----------------------------

4. [root@ipa01 ~]# ipa idoverrideuser-mod 'default trust view' aduser1@pune.test.in --shell=/bin/bash --home=/home/aduser1
---------------------------------------------------
Modified an User ID override "aduser1@pune.test.in"
---------------------------------------------------
Anchor to override: aduser1@pune.test.in
Home directory: /home/aduser1
Login shell: /bin/bash

5. [root@ipa01 ~]# ipa idoverrideuser-add 'default trust view' aduser2@pune.test.in --home=/home/aduser2 --uid=5555
---------------------------------------------
Added User ID override "aduser2@pune.test.in"
---------------------------------------------
Anchor to override: aduser2@pune.test.in
UID: 5555
Home directory: /home/aduser2

6. [root@ipaclient02 ~]# id aduser1@pune.test.in
uid=10002(aduser1@pune.test.in) gid=111112(adgroup1@pune.test.in) groups=111112(adgroup1@pune.test.in)

7. [root@ipaclient02 ~]# id aduser1@pune.test.in
uid=10002(aduser1@pune.test.in) gid=111112(adgroup1@pune.test.in) groups=111112(adgroup1@pune.test.in)

8. [root@ipaclient02 ~]# getent group adgroup1@pune.test.in
adgroup1@pune.test.in:*:111112:aduser1@pune.test.in,aduser2@pune.test.in
[root@ipaclient02 ~]# getent group adgroup1@test.in
adgroup1@test.in:*:30014:

9. service sssd restart

10. [root@ipaclient02 ~]# getent group adgroup1@pune.test.in
adgroup1@pune.test.in:*:111112:aduser1@pune.test.in,aduser2@pune.test.in

[root@ipaclient02 ~]# id aduser1@pune.test.in
uid=10002(aduser1@pune.test.in) gid=111112(adgroup1@pune.test.in) groups=111112(adgroup1@pune.test.in)

[root@ipaclient02 ~]# getent group adgroup1@test.in
adgroup1@test.in:*:30014:

Comment 5 Jakub Hrozek 2015-10-01 08:17:26 UTC
Override question -> redirecting needinfo to Sumit

Comment 6 Sumit Bose 2015-10-01 08:42:37 UTC
In step 1 and2 you create new override objects but do not specific and values to override, in the original report the GID is overridden with a new one.

The idea is that both 'getent group' and 'id' will always show the override value instead of the original GID independent of the state of the cache.

Comment 7 Sudhir Menon 2015-10-14 10:24:48 UTC
Created attachment 1082776 [details]
Verification Steps

Comment 8 Sudhir Menon 2015-10-14 10:25:43 UTC
Verified using RHEL 7.2 and Windows 2008

sssd-1.13.0-39.el7.x86_64
ipa-server-trust-ad-4.2.0-13.el7.x86_64
ipa-server-dns-4.2.0-13.el7.x86_64
ipa-server-4.2.0-13.el7.x86_64

Comment 9 errata-xmlrpc 2015-11-19 11:38:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.