1364596 – sssd still showing ipa user after removed from last group

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1364596 - sssd still showing ipa user after removed from last group

Summary: sssd still showing ipa user after removed from last group

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Iker Pedrosa
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-05 21:09 UTC by Scott Poore
Modified:	2021-11-10 09:00 UTC (History)
CC List:	14 users (show)
Fixed In Version:	sssd-2.5.2-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 19:46:33 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sssd logs (185.36 KB, application/x-gzip) 2016-08-05 21:58 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4255	0	None	open	sssd still showing ipa user after removed from last group	2020-11-23 11:58:18 UTC
Red Hat Product Errata	RHBA-2021:4435	0	None	None	None	2021-11-09 19:46:53 UTC

Description Scott Poore 2016-08-05 21:09:41 UTC

Description of problem:

I am seeing sssd still show a user as a member of a group after it was removed from the group and "sss_cache -UG" is run.

Running the Web_App_Authentication tests, the LookupUserGroup tests are showing a user still is a member of a group after it is removed.  Even running sss_cache doesn't change that.  During the tests, I ses the first group membership change reflected immediately.  When the user is removed from the last group, though, it is still seen as a member.


Version-Release number of selected component (if applicable):
sssd-1.14.0-14.el7.x86_64
mod_lookup_identity-0.9.5-1.el7.x86_64
sssd-dbus-1.14.0-14.el7.x86_64

How reproducible:
always

Steps to Reproduce:
ON IPA Master host:
1.  ipa-server-install

ON Web server

2.  ipa-client-install

3.  yum -y install httpd mod_ssl mod_authnz_pam mod_lookup_identity sssd-dbus

4.  yum remove mod_nss

5.  Setup minimal web app http config:

[root@rhel7-2 ~]# cat /etc/httpd/conf.d/app1.conf 
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule lookup_identity_module modules/mod_lookup_identity.so

<Location /app1>
  AuthType Basic
  AuthName "private area"
  AuthBasicProvider PAM
  AuthPAMService app1
  Require valid-user
  ErrorDocument 401 'FAIL'
  LookupUserAttr mail REMOTE_USER_EMAIL " "
  LookupUserAttr firstname REMOTE_USER_FIRSTNAME
  LookupUserAttr lastname REMOTE_USER_LASTNAME
  LookupUserGroups REMOTE_USER_GROUPS ":"
  LookupUserGroupsIter REMOTE_USER_GROUPS
  LookupUserGroups REMOTE_USER_GROUPS ":"
  LookupUserGroupsIter REMOTE_USER_GROUPS
</Location>

<Directory /var/www/html/app1>
  Options +Includes
  AddType text/html .shtml
  AddOutputFilter INCLUDES .shtml
</Directory>

6.  Setup shtml file with SSI to show vars

[root@rhel7-2 ~]# cat /var/www/html/app1/index.shtml 
<html>
<body>
REMOTE_ADDR=<!--#echo var="REMOTE_ADDR"-->
REMOTE_PORT=<!--#echo var="REMOTE_PORT"-->
REMOTE_USER=<!--#echo var="REMOTE_USER"-->
REMOTE_USER_FIRSTNAME=<!--#echo var="REMOTE_USER_FIRSTNAME"-->
REMOTE_USER_LASTNAME=<!--#echo var="REMOTE_USER_LASTNAME"-->
REMOTE_USER_GROUPS=<!--#echo var="REMOTE_USER_GROUPS"-->
REMOTE_USER_GROUPS_1=<!--#echo var="REMOTE_USER_GROUPS_1"-->
REMOTE_USER_GROUPS_N=<!--#echo var="REMOTE_USER_GROUPS_N"-->
</body>
</html>

7.  kinit admin
8.  ipa user-add webuser --first=web --last=user --password
9.  kinit webuser
10.  ipa group-add webgroup1
11.  ipa group-add webgroup2
12.  ipa group-add-member webgroup1 --users=webuser
13.  ipa group-add-member webgroup2 --users=webuser
14.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
15.  ipa group-remove-member webgroup2 --users=webuser
16.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
17.  ipa group-remove-member webgroup1 --users=webuser
18.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
19.  sss_cache -UG
20.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml

Actual results:

Step 18 and 20 both show the user still as a member of webgroup1.

Expected results:

I would expect at least after invalidating all users/groups that it would be looked up again and no group membership show.

Additional info:

Comment 1 Scott Poore 2016-08-05 21:11:01 UTC

Sorry, I missed some web app setup steps

cat > /etc/pam.d/app1 <<EOF
auth    required   pam_sss.so
account required   pam_sss.so
EOF

setsebool -P allow_httpd_mod_auth_pam 1
setsebool -P httpd_dbus_sssd 1
setsebool -P httpd_tty_comm 1

echo Secret123|kinit admin
ipa service-add HTTP/$(hostname) --force
ipa-getcert request -f /etc/pki/tls/certs/server.pem \
    -k /etc/pki/tls/private/server.key \
    -K HTTP/$(hostname)
ipa-getkeytab -s rhel7-1.example.com -k /etc/http.keytab -p HTTP/$(hostname)

sed -i 's!^\(SSLCertificateFile\).*$!\1 /etc/pki/tls/certs/server.pem!' /etc/httpd/conf.d/ssl.conf
sed -i 's!^\(SSLCertificateKeyFile\).*$!\1 /etc/pki/tls/private/server.key!' /etc/httpd/conf.d/ssl.conf
sed -i '/#SSLCACertificateFile/ a SSLCACertificateFile /etc/ipa/ca.crt' /etc/httpd/conf.d/ssl.conf

systemctl restart httpd

Comment 2 Scott Poore 2016-08-05 21:21:25 UTC

[root@rhel7-2 sssd]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-2 sssd]# curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
<html>
<body>
REMOTE_ADDR=192.168.122.72
REMOTE_PORT=57676
REMOTE_USER=webuser
REMOTE_USER_FIRSTNAME=web
REMOTE_USER_LASTNAME=user
REMOTE_USER_GROUPS=(none)
REMOTE_USER_GROUPS_1=(none)
REMOTE_USER_GROUPS_N=0
</body>
</html>

[root@rhel7-2 sssd]# ipa group-add-member webgroup1 --users=webuser
  Group name: webgroup1
  GID: 973200010
  Member users: webuser
-------------------------
Number of members added 1
-------------------------

[root@rhel7-2 sssd]# curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
<html>
<body>
REMOTE_ADDR=192.168.122.72
REMOTE_PORT=57696
REMOTE_USER=webuser
REMOTE_USER_FIRSTNAME=web
REMOTE_USER_LASTNAME=user
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
</body>
</html>

[root@rhel7-2 sssd]# ipa group-add-member webgroup2 --users=webuser
  Group name: webgroup2
  GID: 973200011
  Member users: webuser
-------------------------
Number of members added 1
-------------------------

[root@rhel7-2 sssd]# curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
<html>
<body>
REMOTE_ADDR=192.168.122.72
REMOTE_PORT=57712
REMOTE_USER=webuser
REMOTE_USER_FIRSTNAME=web
REMOTE_USER_LASTNAME=user
REMOTE_USER_GROUPS=webgroup1:webgroup2
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=2
</body>
</html>

[root@rhel7-2 sssd]# ipa group-remove-member webgroup2 --users=webuser
  Group name: webgroup2
  GID: 973200011
---------------------------
Number of members removed 1
---------------------------

[root@rhel7-2 sssd]# curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
<html>
<body>
REMOTE_ADDR=192.168.122.72
REMOTE_PORT=57750
REMOTE_USER=webuser
REMOTE_USER_FIRSTNAME=web
REMOTE_USER_LASTNAME=user
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
</body>
</html>

[root@rhel7-2 sssd]# ipa group-remove-member webgroup1 --users=webuser
  Group name: webgroup1
  GID: 973200010
---------------------------
Number of members removed 1
---------------------------

[root@rhel7-2 sssd]# curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
<html>
<body>
REMOTE_ADDR=192.168.122.72
REMOTE_PORT=57766
REMOTE_USER=webuser
REMOTE_USER_FIRSTNAME=web
REMOTE_USER_LASTNAME=user
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
</body>
</html>

[root@rhel7-2 sssd]# sss_cache -UG 

[root@rhel7-2 sssd]# curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
<html>
<body>
REMOTE_ADDR=192.168.122.72
REMOTE_PORT=57802
REMOTE_USER=webuser
REMOTE_USER_FIRSTNAME=web
REMOTE_USER_LASTNAME=user
REMOTE_USER_GROUPS=webgroup1
REMOTE_USER_GROUPS_1=webgroup1
REMOTE_USER_GROUPS_N=1
</body>
</html>

Comment 3 Scott Poore 2016-08-05 21:22:13 UTC

To update the cache, it appears as if I have to delete it entirely:

[root@rhel7-2 sssd]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-2 sssd]# curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
<html>
<body>
REMOTE_ADDR=192.168.122.72
REMOTE_PORT=57892
REMOTE_USER=webuser
REMOTE_USER_FIRSTNAME=web
REMOTE_USER_LASTNAME=user
REMOTE_USER_GROUPS=(none)
REMOTE_USER_GROUPS_1=(none)
REMOTE_USER_GROUPS_N=0
</body>
</html>

Comment 4 Scott Poore 2016-08-05 21:58:32 UTC

Created attachment 1188048 [details]
sssd logs

Comment 6 Jakub Hrozek 2016-08-10 15:45:51 UTC

I suspect this might be either https://fedorahosted.org/sssd/ticket/2940 or a variant of it, although we should confirm.

Comment 7 Petr Čech 2016-10-18 12:34:56 UTC

master:
    e0903f41922721edf292a9f7e6605a4519db53a1
    eaf44bc07dda469a20be07d46737d93f518e2047

Comment 8 Petr Čech 2016-10-18 12:49:08 UTC

Sorry, I was too fast.

Mentioned commits are from
https://fedorahosted.org/sssd/ticket/2940
which is connected to nested groups.

If I read reproducer in this BZ correctly this is just about removing membership in last group. No nested groups. I will take a look on it.

Comment 10 Jakub Hrozek 2016-10-19 07:21:06 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/3222

Comment 18 Petr Čech 2017-12-04 14:34:00 UTC

Sorry, I am in FreeIPA QE team already. So I unsigned from this BZ.

Comment 35 Alexey Tikhonov 2021-06-21 11:36:41 UTC

https://github.com/SSSD/sssd/pull/5663 needs more work.

Comment 36 Pavel Březina 2021-07-08 10:28:43 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5663

* `master`
    * 865330c651064977477121961bcd084af02bb0d9 - cache_req: parse name to get shortname

Comment 42 Scott Poore 2021-07-24 16:30:32 UTC

Verified.

Version ::

sssd-2.5.2-1.el8.x86_64

Results ::

+ ipa user-add --first=Test --last=User --email=u1 tuser3
-------------------
Added user "tuser3"
-------------------
  User login: tuser3
  First name: Test
  Last name: User
  Full name: Test User
  Display name: Test User
  Initials: TU
  Home directory: /home/tuser3
  GECOS: Test User
  Login shell: /bin/sh
  Principal name: tuser3
  Principal alias: tuser3
  Email address: u1
  UID: 1337400006
  GID: 1337400006
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

+ ipa group-add tgroup3
---------------------
Added group "tgroup3"
---------------------
  Group name: tgroup3
  GID: 1337400007

+ systemctl daemon-reload
+ systemctl stop sssd
+ truncate -s0 /var/log/sssd/ldap_child.log /var/log/sssd/sssd_example.test.log /var/log/sssd/sssd_ifp.log /var/log/sssd/sssd_implicit_files.log /var/log/sssd/sssd_kcm.log /var/log/sssd/sssd.log /var/log/sssd/sssd_nss.log /var/log/sssd/sssd_pac.log /var/log/sssd/sssd_pam.log /var/log/sssd/sssd_ssh.log /var/log/sssd/sssd_sudo.log
+ rm -rf /var/lib/sss/db/cache_example.test.ldb /var/lib/sss/db/cache_implicit_files.ldb /var/lib/sss/db/ccache_EXAMPLE.TEST /var/lib/sss/db/config.ldb /var/lib/sss/db/sssd.ldb /var/lib/sss/db/timestamps_example.test.ldb /var/lib/sss/db/timestamps_implicit_files.ldb /var/lib/sss/mc/group /var/lib/sss/mc/initgroups /var/lib/sss/mc/passwd
+ systemctl start sssd

+ ipa group-add-member --users=tuser3 tgroup3
  Group name: tgroup3
  GID: 1337400007
  Member users: tuser3
-------------------------
Number of members added 1
-------------------------

+ sss_cache -UG

+ getent group tgroup3
tgroup3:*:1337400007:tuser3

++ grep 'object path'
++ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups org.freedesktop.sssd.infopipe.Groups.FindByName string:tgroup3
++ cut -f2 '-d"'
+ OPATH=/org/freedesktop/sssd/infopipe/Groups/example_2etest/1337400007


############## issue 1:

+ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/example_2etest/1337400007 org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList
method return time=1627143662.053214 sender=:1.314 -> destination=:1.316 serial=8 reply_serial=2

^^^ First run of UpdateMemberList for a new group does not fail ^^^

############## issue 2:

+ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/example_2etest/1337400007 org.freedesktop.DBus.Properties.GetAll string:org.freedesktop.sssd.infopipe.Groups.Group
method return time=1627143662.063883 sender=:1.314 -> destination=:1.317 serial=10 reply_serial=2
   array [
      dict entry(
         string "name"
         variant             string "tgroup3"
      )
      dict entry(
         string "gidNumber"
         variant             uint32 1337400007
      )
      dict entry(
         string "uniqueID"
         variant             string "22558740-ec9b-11eb-abf1-fa163e75c07f"
      )
      dict entry(
         string "users"
         variant             array [
               object path "/org/freedesktop/sssd/infopipe/Users/example_2etest/1337400006"
            ]
      )
      dict entry(
         string "groups"
         variant             array [
            ]
      )
   ]

^^^ GetAll shows user that was newly added to group ^^^

+ sleep 1
+ ipa group-remove-member --users=tuser3 tgroup3
  Group name: tgroup3
  GID: 1337400007
---------------------------
Number of members removed 1
---------------------------
+ sss_cache -UG

+ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/example_2etest/1337400007 org.freedesktop.sssd.infopipe.Groups.Group.UpdateMemberList
method return time=1627143664.282768 sender=:1.314 -> destination=:1.318 serial=12 reply_serial=2

############## issue 3:

+ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Groups/example_2etest/1337400007 org.freedesktop.DBus.Properties.GetAll string:org.freedesktop.sssd.infopipe.Groups.Group
method return time=1627143664.294356 sender=:1.314 -> destination=:1.319 serial=14 reply_serial=2
   array [
      dict entry(
         string "name"
         variant             string "tgroup3"
      )
      dict entry(
         string "gidNumber"
         variant             uint32 1337400007
      )
      dict entry(
         string "uniqueID"
         variant             string "22558740-ec9b-11eb-abf1-fa163e75c07f"
      )
      dict entry(
         string "users"
         variant             array [
            ]
      )
      dict entry(
         string "groups"
         variant             array [
            ]
      )
   ]

^^^ GetAll shows no user after removed from group ^^^

Comment 44 errata-xmlrpc 2021-11-09 19:46:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4435

Note You need to log in before you can comment on or make changes to this bug.