1782087 – Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1782087 - Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups

Summary: Removing an IPA sub-group should NOT remove the members from indirect parent ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Duplicates (1):	1789220 (view as bug list)
Depends On:
Blocks:	1788833 1817374 1817375 1817376 1817377 1817379 1817380
TreeView+	depends on / blocked

Reported:	2019-12-11 06:39 UTC by Ding-Yi Chen
Modified:	2023-12-15 17:12 UTC (History)
CC List:	19 users (show)
Fixed In Version:	sssd-1.16.5-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1817374 1817375 1817376 1817377 1817379 1817380 (view as bug list)
Environment:
Last Closed:	2020-09-29 19:49:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
test build (9.54 MB, application/gzip) 2020-01-30 12:08 UTC, Sumit Bose	no flags	Details
test automation run (749 bytes, application/xml) 2020-06-16 11:49 UTC, Sumedh Sidhaye	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4657	None	closed	nested group missing after updates on provider	2021-02-08 02:42:18 UTC
Red Hat Issue Tracker	SSSD-2427	None	None	None	2023-12-15 17:12:01 UTC
Red Hat Issue Tracker	SSSD-2428	None	None	None	2023-12-15 17:12:19 UTC
Red Hat Product Errata	RHBA-2020:3904	None	None	None	2020-09-29 19:50:15 UTC

Description Ding-Yi Chen 2019-12-11 06:39:09 UTC

Description of problem:

In IPA, there are 3 groups: child1 and child2 are subgroups of parent, like
the following

parent
  |
  +- child1   (user1)
  |
  +- child2   (user1)

user1 is an username, it belongs to both group child1 and child2.


user1 should also belong to parent

# getent group parent
parent:*:12345:user1

# id user1
uid=1234(user1), gid=xxxx(user1), groups=xxxx(user1),xxxx(child1),xxxx(child2),xxxx(parent)

However, after removed child1 from parent, user1 is no longer belong to parent

# getent group parent
parent:*:12345:

# id user1
uid=1234(user1), gid=xxxx(user1), groups=xxxx(user1),xxxx(child1),xxxx(child2)


Version-Release number of selected component (if applicable):
sssd-1.16.4-21.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
0. Setup
   kinit admin
   ipa user-add user1
   ipa group-add child1
   ipa group-add child2
   ipa group-add parent
   ipa group-add-member parent --group child1
   ipa group-add-member parent --group child2
   ipa group-add-member child1 --user user1
   ipa group-add-member child2 --user user1

   # Verifying user1 is belong to parent
   id user1
   getent group parent
   ipa user-show user1

1. Remove child1 from parent
   ipa group-remove-member parent --group child1
2. Check membership for user1

   id user1
   getent group parent
   ipa user-show user1


Actual results:
    id user1: do not have parent
    getent group parent: do not have user1
    ipa user-show user1: have parent


Expected results:
    id user1: have parent
    getent group parent: have user1
    ipa user-show user1: have parent


Additional info:
   sss_cashe -E               does not fix the problem 
   systemctl restart sssd     does not fix the problem

   You need to remove cache file before starting sssd to reload the correct membership:
   systemctl stop sssd; rm -fr /var/lib/sss/db/*; systemctl start sssd

Comment 2 Yuriy Halytskyy 2019-12-19 00:34:12 UTC

Any updates?

Comment 3 Ding-Yi Chen 2020-01-23 00:29:55 UTC

Perhaps we can backport the fix in sssd-2.2.0 to RHEL 7


https://pagure.io/SSSD/sssd/c/1f5d139d103328b6e4be7dc8368abdd39a91d3a6.patch

Issue: nested group missing after updates on provider    https://pagure.io/SSSD/sssd/issue/3636

Comment 4 Sumit Bose 2020-01-23 17:17:28 UTC

(In reply to Ding-Yi Chen from comment #3)
> Perhaps we can backport the fix in sssd-2.2.0 to RHEL 7
> 
> 
> https://pagure.io/SSSD/sssd/c/1f5d139d103328b6e4be7dc8368abdd39a91d3a6.patch
> 
> Issue: nested group missing after updates on provider   
> https://pagure.io/SSSD/sssd/issue/3636

Hi,

thanks for the hint, shall I create a test-build for RHEL-7.7 with the backported fix to see if this fixes the issue for you/your customer?

bye,
Sumit

Comment 5 Ding-Yi Chen 2020-01-29 23:45:43 UTC

(In reply to Sumit Bose from comment #4)
> (In reply to Ding-Yi Chen from comment #3)
> > Perhaps we can backport the fix in sssd-2.2.0 to RHEL 7
> > 
> > 
> > https://pagure.io/SSSD/sssd/c/1f5d139d103328b6e4be7dc8368abdd39a91d3a6.patch
> > 
> > Issue: nested group missing after updates on provider   
> > https://pagure.io/SSSD/sssd/issue/3636
> 
> Hi,
> 
> thanks for the hint, shall I create a test-build for RHEL-7.7 with the
> backported fix to see if this fixes the issue for you/your customer?
> 
> bye,
> Sumit

Yes please

Comment 6 Sumit Bose 2020-01-30 12:08:10 UTC

Created attachment 1656482 [details]
test build

Hi,

please find attached a tar ball with a test build of SSSD including the patch you've mentioned earlier.

bye,
Sumit

Comment 7 Ding-Yi Chen 2020-02-03 06:25:12 UTC

The test-build fixes my reproducer.

Thanks Sumit.

Comment 13 Pavel Březina 2020-03-04 09:48:44 UTC

* `sssd-1-16`
    * 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member

Comment 14 Pavel Březina 2020-03-16 15:31:01 UTC

*** Bug 1789220 has been marked as a duplicate of this bug. ***

Comment 25 Kaleem 2020-03-26 07:32:47 UTC

Removing the needinfo on me as Sumedh taking care of it.

Comment 47 Sumedh Sidhaye 2020-06-16 06:49:35 UTC

ipa-group-cli regression run passing :

http://idm-artifacts.usersys.redhat.com/ipa-prod-tier1/RHEL7.9/17/ipa-group-cli/

Comment 48 Sumedh Sidhaye 2020-06-16 11:49:23 UTC

Created attachment 1697603 [details]
test automation run

test automation run junit

Comment 49 Sumedh Sidhaye 2020-06-16 12:01:39 UTC

[root@ci-vm-10-0-139-68 freeipa]# ipa-run-tests test_integration/test_sssd.py::TestNestedMembers --junit-xml=/tmp/test_sssd.xml 
============================================================== test session starts ===============================================================
platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.4, pluggy-0.6.0
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: sourceorder-0.5, multihost-3.0
collected 1 item                                                                                                                                 

test_integration/test_sssd.py .                                                                                                            [100%]

----------------------------------------------------- generated xml file: /tmp/test_sssd.xml -----------------------------------------------------
=========================================================== 1 passed in 428.15 seconds ===========================================================


master:
[root@ci-vm-10-0-138-47 ~]# rpm -q ipa-server ipa-server-dns sssd
ipa-server-4.6.8-4.el7.x86_64
ipa-server-dns-4.6.8-4.el7.noarch
sssd-1.16.5-10.el7.x86_64

client:
[root@ci-vm-10-0-139-166 ~]# rpm -q ipa-client sssd
ipa-client-4.6.8-4.el7.x86_64
sssd-1.16.5-10.el7.x86_64

Comment 51 errata-xmlrpc 2020-09-29 19:49:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3904

Note You need to log in before you can comment on or make changes to this bug.