RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1274322 - SSSD should not fail authentication when only allow rules are used
Summary: SSSD should not fail authentication when only allow rules are used
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-22 13:32 UTC by Allan Mullan
Modified: 2015-11-19 15:55 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1170910
Environment:
Last Closed: 2015-11-19 15:55:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Log Files (5.57 KB, application/x-gzip)
2015-10-22 14:15 UTC, Allan Mullan 		no flags Details
View All

Description Allan Mullan 2015-10-22 13:32:00 UTC 
+++ This bug was initially created as a clone of Bug #1170910 +++

Description of problem:
SSSD should not fail when only allow rules are used

In case of GID to name resolve failure, SSSD should not deny user auth when only allow rules are used.

Version-Release number of selected component (if applicable):
1.12.2

This problem is still existent on RHEL7 with 1.12.2 - I get the same "Could not resolve name of group with GID" message in debug logs for sssd.
Comment 2 Jakub Hrozek 2015-10-22 14:02:25 UTC 
You might see the message in the logs, but the message would be non-fatal.

Can you attach logs showing the failure?

Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting to obtain the logs.
Comment 3 Allan Mullan 2015-10-22 14:15:00 UTC 
Created attachment 1085562 [details]
Log Files

Cleared log files from when the service is started until the failure.
Comment 4 Jakub Hrozek 2015-10-23 07:32:15 UTC 
Indeed, we need this patch:
From dbb263dddce4febf97add4ac5ef6e0aa2ced9f03 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl>
Date: Mon, 20 Apr 2015 11:33:29 -0400
Subject: [PATCH 60/60] simple-access-provider: make user grp res more robust

Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek <jhrozek>
(cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511)
(cherry picked from commit 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a)


I thought it was in 7.1 as well, but it's only in 6.7. However, the patch will be in 7.2, which will be out in a couple of weeks -- so I'd recommend to wait for 7.2.0, then we can close this bug if it works for you..
Comment 5 Jakub Hrozek 2015-10-23 07:32:59 UTC 
Close as a duplicate of rhbz #1170910 that is -- I think this one is a duplicate of 1170910.
Comment 6 Lukas Slebodnik 2015-10-23 07:43:03 UTC 
Allan,
If you want you can test on el7.1 with back ported version from upstream.
https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-13/
Comment 7 Jakub Hrozek 2015-11-19 15:55:04 UTC 
7.2 was just released today, please try it out and reopen this bug if you can still reproduce it with 7.2
Note You need to log in before you can comment on or make changes to this bug.