Description of problem:
This is related with https://bugzilla.redhat.com/show_bug.cgi?id=1204379 (fedora bug).
A customer's CUPS server uses AD group for web UI access.
But, he could not access with a user in AD group. sssd is configured properly,
and groups command can return the correct groups including AD group.
After some investigation by customer, the following upstream patch was found to fix the problem. getgrouplist() is used to get group information by the patch.
The customer confirmed that the patch fixed the problem with a test package.
Could you backport this patch into RHEL7.
Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 7
Steps to Reproduce:
1. Configure sssd for AD user and group
2. ignore_group_members = true may be needed in sssd.conf for reproduction.
It's used to speed up authentication. As the result, getent group <group> doesn't return members. But, id command can list all groups including AD group.
3. configure CUPS to allow to access Web UI for a user in a AD group.
cannot access WEB UI with a user in the AD group which was permitted in CUPS configuration.
can access WEB UI
*** Bug 1644641 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.