Bug 1250111 - User lifecycle - preserved users can be assigned membership
User lifecycle - preserved users can be assigned membership
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-04 10:23 EDT by Jan Cholasta
Modified: 2015-11-19 07:04 EST (History)
4 users (show)

See Also:
Fixed In Version: ipa-4.2.0-5.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:04:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
user_del_group_add (1.50 KB, text/plain)
2015-09-14 03:28 EDT, Abhijeet Kasurde
no flags Details

  None (edit)
Description Jan Cholasta 2015-08-04 10:23:01 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5170

In user plugin, the preserved users can be assigned membership, even though they are not supposed to work with membership information. Moreover, when a membership is assigned to a preserved user and then the user is activated, the membership information persists for the active entry.

'''Steps to reproduce:'''

'''1. create a group and a user'''

{{{
$ ipa group-add tgroup
$ ipa user-add tuser --first test --last user
}}}

'''2. delete the user with --preserve option'''

{{{
$ ipa user-del tuser --preserve
}}}


'''3. assign membership to the preserved user'''

{{{
$ ipa group-add-member tgroup --users tuser
}}}

Expected result: should not add the user to the group

Actual result: the user is added to the group:

{{{
  Group name: tgroup
  GID: 280206353
-------------------------
Number of members added 1
-------------------------
}}}

Even though results of group-show and user-show command do not list 'tuser' as a member of 'tgroup', the membership was apparently added:

{{{
$ ipa group-show tgroup
  Group name: tgroup
  GID: 280206353

$ ipa user-show tuser
  User login: tuser
  First name: test
  Last name: user
  Home directory: /home/tuser
  Login shell: /bin/sh
  Email address: tuser@abc.idm.lab.eng.brq.redhat.com
  UID: 280206355
  GID: 280206355
  Account disabled: True
  Preserved user: True
  Password: False
  Kerberos keys available: False
}}}

'''4. activate the preserved entry'''

{{{
$ ipa user-undel tuser
}}}

Expected result: user is now active and has only 'ipausers' membership

Actual result: user is active and has 'ipausers' and ''''tgroup'''' membership:
{{{
$ ipa user-show tuser
  User login: tuser
  First name: test
  Last name: user
  Home directory: /home/tuser
  Login shell: /bin/sh
  Email address: tuser@abc.idm.lab.eng.brq.redhat.com
  UID: 280206355
  GID: 280206355
  Account disabled: False
  Password: False
  Member of groups: tgroup, ipausers
  Kerberos keys available: False

$ ipa group-show tgroup
  Group name: tgroup
  GID: 280206353
  Member users: tuser
}}}

'''Note:''' The membership added to the preserved entry can also be removed using 'group-remove-member'
Comment 3 Abhijeet Kasurde 2015-09-14 03:28:30 EDT
Created attachment 1073088 [details]
user_del_group_add
Comment 4 Abhijeet Kasurde 2015-09-14 04:16:11 EDT
Verified the fix, marking bug as verified.
Comment 5 errata-xmlrpc 2015-11-19 07:04:57 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.