SSO (single sign-on) is being reconfigured. Maintenance started Jul 16 2:20PM UTC and will last 1 hour. Password-enabled login should still work.
Bug 1217127 - Override for IPA users with login does not list user all groups
Summary: Override for IPA users with login does not list user all groups
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On: 1215195
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-29 15:39 UTC by Sumit Bose
Modified: 2020-05-02 18:03 UTC (History)
13 users (show)

Fixed In Version: sssd-1.13.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1215195
Environment:
Last Closed: 2015-11-19 11:38:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3683 None None None 2020-05-02 18:03:21 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Comment 1 Jakub Hrozek 2015-04-29 15:43:38 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2642

Comment 2 Jakub Hrozek 2015-05-06 08:55:40 UTC
    master:
        0f9c28eb52d2b45c8a97f709308dc11377831b8c
        35b178d02dfd293778aefbc0b465a5a3a4b6cd8f 
    sssd-1-12:
        3b00bcd8b6d53d33207005c4e7a631b6a241d300
        a4a447b7bf394ded65c8ae872832e7cd135425d1

Comment 4 Sudhir Menon 2015-09-30 12:57:42 UTC
Verified using RHEL7.2

sssd-1.13.0-35.el7.x86_64
ipa-server-trust-ad-4.2.0-12.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64
ipa-server-dns-4.2.0-12.el7.x86_64

Observation: When ipa user override is added with a new login name, id command does list all its groups


[root@ipa01 ~]# ipa user-show ipauser1
  User login: ipauser1
  First name: f
  Last name: l
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Email address: ipauser1@labs01.test
  UID: 653800010
  GID: 653800010
  Account disabled: False
  Password: False
  Member of groups: grp2, grp1, ipausers
  Kerberos keys available: False

[root@ipa01 ~]# ipa idview-add
ID View Name: hostview
------------------------
Added ID View "hostview"
------------------------
  ID View Name: hostview
[root@ipa01 ~]# ipa idoverrideuser-add hostview ipauser1 --login useripa1
---------------------------------
Added User ID override "ipauser1"
---------------------------------
  Anchor to override: ipauser1
  User login: useripa1

service sssd stop ; rm -fr /var/lib/sss/{db,mc}/* ; service sssd start

[root@ipa01 ~]# ipa idview-apply hostview --hosts ipaclient02.labs01.test
--------------------------
Applied ID View "hostview"
--------------------------
  hosts: ipaclient02.labs01.test
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

[root@ipaclient02 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@ipaclient02 ~]# id ipauser1
uid=653800010(useripa1) gid=653800010(ipauser1) groups=653800010(ipauser1),653800012(grp2),653800011(grp1)

Comment 5 errata-xmlrpc 2015-11-19 11:38:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.