Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1274322

Summary: SSSD should not fail authentication when only allow rules are used
Product: Red Hat Enterprise Linux 7 Reporter: Allan Mullan <AMMullan>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: AMMullan, atolani, grajaiya, jgalipea, jhrozek, kbanerje, lslebodn, mkosek, mzidek, pbrezina, preichl, sssd-maint, viggiani
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1170910 Environment:
Last Closed: 2015-11-19 15:55:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Log Files none

Description Allan Mullan 2015-10-22 13:32:00 UTC 
+++ This bug was initially created as a clone of Bug #1170910 +++

Description of problem:
SSSD should not fail when only allow rules are used

In case of GID to name resolve failure, SSSD should not deny user auth when only allow rules are used.

Version-Release number of selected component (if applicable):
1.12.2

This problem is still existent on RHEL7 with 1.12.2 - I get the same "Could not resolve name of group with GID" message in debug logs for sssd.
Comment 2 Jakub Hrozek 2015-10-22 14:02:25 UTC 
You might see the message in the logs, but the message would be non-fatal.

Can you attach logs showing the failure?

Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting to obtain the logs.
Comment 3 Allan Mullan 2015-10-22 14:15:00 UTC 
Created attachment 1085562 [details]
Log Files

Cleared log files from when the service is started until the failure.
Comment 4 Jakub Hrozek 2015-10-23 07:32:15 UTC 
Indeed, we need this patch:
From dbb263dddce4febf97add4ac5ef6e0aa2ced9f03 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl>
Date: Mon, 20 Apr 2015 11:33:29 -0400
Subject: [PATCH 60/60] simple-access-provider: make user grp res more robust

Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek <jhrozek>
(cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511)
(cherry picked from commit 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a)


I thought it was in 7.1 as well, but it's only in 6.7. However, the patch will be in 7.2, which will be out in a couple of weeks -- so I'd recommend to wait for 7.2.0, then we can close this bug if it works for you..
Comment 5 Jakub Hrozek 2015-10-23 07:32:59 UTC 
Close as a duplicate of rhbz #1170910 that is -- I think this one is a duplicate of 1170910.
Comment 6 Lukas Slebodnik 2015-10-23 07:43:03 UTC 
Allan,
If you want you can test on el7.1 with back ported version from upstream.
https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-13/
Comment 7 Jakub Hrozek 2015-11-19 15:55:04 UTC 
7.2 was just released today, please try it out and reopen this bug if you can still reproduce it with 7.2