Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1817376

Summary: Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: sssdAssignee: Alexey Tikhonov <atikhono>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.7CC: atikhono, bthekkep, dchen, grajaiya, ipa-qe, jhrozek, ksiddiqu, lslebodn, mzidek, ndehadra, pbrezina, sbose, sgoveas, ssidhaye, thalman, tscherf, yoguma, yuriy.halytskyy
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.0-19.el7_5.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1782087 Environment:
Last Closed: 2020-04-01 01:59:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1782087    
Bug Blocks:    

Description RAD team bot copy to z-stream 2020-03-26 09:08:16 UTC 
This bug has been copied from bug #1782087 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 3 Alexey Tikhonov 2020-03-26 10:05:08 UTC 
* `sssd-1-16`
    * 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member
Comment 10 Sumedh Sidhaye 2020-03-30 11:23:07 UTC 
Reproducer:


On Server:

[root@ci-vm-10-0-139-88 test]# rpm -q ipa-server sssd; cat /etc/redhat-release
ipa-server-4.5.0-20.el7.x86_64
sssd-1.15.2-50.el7.x86_64
Red Hat Enterprise Linux Server release 7.4 (Maipo)
[root@ci-vm-10-0-139-88 test]#
Client:

[root@ci-vm-10-0-139-54 test]# rpm -q ipa-server sssd; cat /etc/redhat-release 
package ipa-server is not installed
sssd-1.15.2-50.el7.x86_64
Red Hat Enterprise Linux Server release 7.4 (Maipo)
[root@ci-vm-10-0-139-54 test]# 



on master

[root@ci-vm-10-0-139-88 test]# kinit admin
Password for admin: 
[root@ci-vm-10-0-139-88 test]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting       Expires              Service principal
2020-03-30T07:04:37  2020-03-31T07:04:34  krbtgt/TESTREALM.TEST
[root@ci-vm-10-0-139-88 test]# ipa host-find
---------------
2 hosts matched
---------------
  Host name: client.testrealm.test
  Principal name: host/client.testrealm.test
  Principal alias: host/client.testrealm.test
  SSH public key fingerprint: SHA256:GC8yztjxRmCWV9w+PY62tgFBT6/mWsrPlxm2ZsFOzXE (ssh-rsa), SHA256:76FAqi087orDgFi+lcxMQIsI6QAxkfjs9wRBcbGzsZ8
                              (ecdsa-sha2-nistp256), SHA256:KDTHLPnkdu4stBXzW7GoHypgWOmK+eRpgPkoIWXnBQs (ssh-ed25519)

  Host name: master.testrealm.test
  Principal name: host/master.testrealm.test
  Principal alias: host/master.testrealm.test
  SSH public key fingerprint: SHA256:GC8yztjxRmCWV9w+PY62tgFBT6/mWsrPlxm2ZsFOzXE (ssh-rsa), SHA256:76FAqi087orDgFi+lcxMQIsI6QAxkfjs9wRBcbGzsZ8
                              (ecdsa-sha2-nistp256), SHA256:KDTHLPnkdu4stBXzW7GoHypgWOmK+eRpgPkoIWXnBQs (ssh-ed25519)
----------------------------
Number of entries returned 2
----------------------------
[root@ci-vm-10-0-139-88 test]# ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
  Rule name: any_to_any
  User category: all
  Host category: all
  Service category: all
  Enabled: TRUE
[root@ci-vm-10-0-139-88 test]# ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
  User login: u1
  First name: u
  Last name: 1
  Full name: u 1
  Display name: u 1
  Initials: u1
  Home directory: /home/u1
  GECOS: u 1
  Login shell: /bin/sh
  Principal name: u1
  Principal alias: u1
  Email address: u1
  UID: 503400001
  GID: 503400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@ci-vm-10-0-139-88 test]# ipa passwd u1
New Password: 
Enter New Password again to verify: 
  ** Passwords do not match! **
New Password: 
Enter New Password again to verify: 
----------------------------------------
Changed password for "u1"
----------------------------------------
[root@ci-vm-10-0-139-88 test]# ipa group-add a
---------------
Added group "a"
---------------
  Group name: a
  GID: 503400003
[root@ci-vm-10-0-139-88 test]# ipa group-add b
---------------
Added group "b"
---------------
  Group name: b
  GID: 503400004
[root@ci-vm-10-0-139-88 test]# ipa group-add c
---------------
Added group "c"
---------------
  Group name: c
  GID: 503400005
[root@ci-vm-10-0-139-88 test]# ipa group-add-member --groups=a b
  Group name: b
  GID: 503400004
  Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-139-88 test]# ipa group-add-member --groups=b c
  Group name: c
  GID: 503400005
  Member groups: b
  Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-139-88 test]# $ ipa group-add-member --users=u1 a
bash: $: command not found
[root@ci-vm-10-0-139-88 test]# ipa group-add-member --users=u1 a
  Group name: a
  GID: 503400003
  Member users: u1
  Member of groups: b
  Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
[root@ci-vm-10-0-139-88 test]# ipa user-show u1 | grep group
  Member of groups: a, ipausers
  Indirect Member of group: b, c
[root@ci-vm-10-0-139-88 test]# service sssd stop 
Redirecting to /bin/systemctl stop sssd.service
[root@ci-vm-10-0-139-88 test]# find /var/lib/sss/ ! -type d -delete
[root@ci-vm-10-0-139-88 test]# service sssd start
Redirecting to /bin/systemctl start sssd.service
[root@ci-vm-10-0-139-88 test]# ssh -q u1.test groups
Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
Sorry, passwords do not match.
New password: 
Retype new password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
[root@ci-vm-10-0-139-88 test]# ipa group-add-member --users=u1 b
  Group name: b
  GID: 503400004
  Member users: u1
  Member groups: a
  Member of groups: c
-------------------------
Number of members added 1
-------------------------


On Client:

[root@ci-vm-10-0-139-54 test]# ssh -q u1.test groups
Password: 
u1 a b c
Could not chdir to home directory /home/u1: No such file or directory


On Master:

[root@ci-vm-10-0-139-88 test]# ipa group-remove-member --users=u1 b
  Group name: b
  GID: 503400004
  Member groups: a
  Member of groups: c
  Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------
[root@ci-vm-10-0-139-88 test]# sss_cache -E; systemctl restart sssd
[root@ci-vm-10-0-139-88 test]# systectl status sssd
bash: systectl: command not found
[root@ci-vm-10-0-139-88 test]# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Mon 2020-03-30 07:09:40 EDT; 10s ago
 Main PID: 15398 (sssd)
   CGroup: /system.slice/sssd.service
           ├─15398 /usr/sbin/sssd -i -f
           ├─15399 /usr/libexec/sssd/sssd_be --domain testrealm.test --uid 0 --gid 0 --debug-to-files
           ├─15400 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
           ├─15401 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           ├─15402 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --debug-to-files
           ├─15403 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
           ├─15404 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
           └─15405 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files

Mar 30 07:09:40 master.testrealm.test sssd[pam][15403]: Starting up
Mar 30 07:09:40 master.testrealm.test sssd[nss][15401]: Starting up
Mar 30 07:09:40 master.testrealm.test sssd[ssh][15404]: Starting up
Mar 30 07:09:40 master.testrealm.test sssd[pac][15405]: Starting up
Mar 30 07:09:40 master.testrealm.test sssd[sudo][15400]: Starting up
Mar 30 07:09:40 master.testrealm.test sssd_be[15399]: GSSAPI client step 1
Mar 30 07:09:40 master.testrealm.test sssd_be[15399]: GSSAPI client step 1
Mar 30 07:09:40 master.testrealm.test sssd_be[15399]: GSSAPI client step 1
Mar 30 07:09:40 master.testrealm.test systemd[1]: Started System Security Services Daemon.
Mar 30 07:09:40 master.testrealm.test sssd_be[15399]: GSSAPI client step 2
[root@ci-vm-10-0-139-88 test]#



On Client:

[root@ci-vm-10-0-139-54 test]# ssh -q u1.test groups
Password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a c
[root@ci-vm-10-0-139-54 test]# 



Group b is not present



Verification:



on master
     
[root@master ~]# rpm -q ipa-server sssd
ipa-server-4.5.4-10.el7.x86_64
sssd-1.16.0-19.el7_5.9.x86_64
[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
[root@master ~]#

[root@master ~]# ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
Rule name: any_to_any
User category: all
Host category: all
Service category: all
Enabled: TRUE
[root@master ~]# ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
User login: u1
First name: u
Last name: 1
Full name: u 1
Display name: u 1
Initials: u1
Home directory: /home/u1
GECOS: u 1
Login shell: /bin/sh
Principal name: u1
Principal alias: u1
Email address: u1
UID: 1315800001
GID: 1315800001
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# ipa passwd u1
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "u1"
----------------------------------------
[root@master ~]# ipa group-add a
---------------
Added group "a"
---------------
Group name: a
GID: 1315800003
[root@master ~]# ipa group-add b
---------------
Added group "b"
---------------
Group name: b
GID: 1315800004
[root@master ~]# ipa group-add c
---------------
Added group "c"
---------------
Group name: c
GID: 1315800005
[root@master ~]# ipa group-add-member --groups=a b
Group name: b
GID: 1315800004
Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member --groups=b c
Group name: c
GID: 1315800005
Member groups: b
Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member --users=u1 a
Group name: a
GID: 1315800003
Member users: u1
Member of groups: b
Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa user-show u1 | grep group
Member of groups: a, ipausers
Indirect Member of group: b, c
[root@master ~]# find /var/lib/sss/ ! -type d -delete
[root@master ~]# service sssd start
Redirecting to /bin/systemctl start sssd.service
[root@master ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-03-30 15:14:43 IST; 5s ago
Main PID: 4927 (sssd)
CGroup: /system.slice/sssd.service
       ├─4927 /usr/sbin/sssd -i --logger=files
       ├─4928 /usr/libexec/sssd/sssd_be --domain testrealm.test --uid 0 --gid 0 --logger=files
       ├─4929 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
       ├─4930 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
       ├─4931 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files
       ├─4932 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
       ├─4933 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
       └─4934 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files

Mar 30 15:14:43 master.testrealm.test sssd[sudo][4929]: Starting up
Mar 30 15:14:43 master.testrealm.test sssd[ifp][4931]: Starting up
Mar 30 15:14:43 master.testrealm.test sssd[ssh][4933]: Starting up
Mar 30 15:14:43 master.testrealm.test sssd[pam][4932]: Starting up
Mar 30 15:14:43 master.testrealm.test sssd[pac][4934]: Starting up
Mar 30 15:14:43 master.testrealm.test sssd_be[4928]: GSSAPI client step 1
Mar 30 15:14:43 master.testrealm.test sssd_be[4928]: GSSAPI client step 1
Mar 30 15:14:43 master.testrealm.test sssd_be[4928]: GSSAPI client step 1
Mar 30 15:14:43 master.testrealm.test sssd_be[4928]: GSSAPI client step 2
Mar 30 15:14:43 master.testrealm.test systemd[1]: Started System Security Services Daemon.
[root@master ~]# ssh -q u1.test groups
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c

[root@master ~]# ipa group-add-member --users=u1 b
Group name: b
GID: 1315800004
Member users: u1
Member groups: a
Member of groups: c
-------------------------
Number of members added 1
-------------------------

On CLient
[root@gizmo ~]# rpm -q ipa-server sssd; cat /etc/redhat-release 
ipa-server-4.5.4-10.el7.x86_64
sssd-1.16.0-19.el7_5.9.x86_64
Red Hat Enterprise Linux Server release 7.5 (Maipo)
[root@gizmo ~]#
     
[root@gizmo ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c


On Server
[root@master ~]#  ipa group-remove-member --users=u1 b
Group name: b
GID: 1315800004
Member groups: a
Member of groups: c
Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------
[root@master ~]# sss_cache -E
[root@master ~]# systemctl restart sssd


on Client

[root@gizmo ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c


Group b is present




Tested scenario mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1782087#c0



[root@master ~]# rpm -q ipa-server sssd
ipa-server-4.5.4-10.el7.x86_64
sssd-1.16.0-19.el7_5.9.x86_64
[root@master ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
[root@master ~]#

[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting       Expires              Service principal
2020-03-30T15:15:50  2020-03-31T14:59:46  host/client.testrealm.test
2020-03-30T15:03:12  2020-03-31T14:59:46  HTTP/master.testrealm.test
2020-03-30T14:59:48  2020-03-31T14:59:46  krbtgt/TESTREALM.TEST
[root@master ~]# ipa user-find
---------------
2 users matched
---------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin
UID: 1315800000
GID: 1315800000
Account disabled: False

User login: u1
First name: u
Last name: 1
Home directory: /home/u1
Login shell: /bin/sh
Principal name: u1
Principal alias: u1
Email address: u1
UID: 1315800001
GID: 1315800001
Account disabled: False
----------------------------
Number of entries returned 2
----------------------------
[root@master ~]# ipa user-add user1

[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting       Expires              Service principal
2020-03-30T15:15:50  2020-03-31T14:59:46  host/client.testrealm.test
2020-03-30T15:03:12  2020-03-31T14:59:46  HTTP/master.testrealm.test
2020-03-30T14:59:48  2020-03-31T14:59:46  krbtgt/TESTREALM.TEST
[root@master ~]# ipa user-add user1
First name: user
Last name: 1
------------------
Added user "user1"
------------------
User login: user1
First name: user
Last name: 1
Full name: user 1
Display name: user 1
Initials: u1
Home directory: /home/user1
GECOS: user 1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1315800006
GID: 1315800006
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# ipa group-add child1
--------------------
Added group "child1"
--------------------
Group name: child1
GID: 1315800007
[root@master ~]# ipa group-add child2
--------------------
Added group "child2"
--------------------
Group name: child2
GID: 1315800008
[root@master ~]# ipa group-add parent
--------------------
Added group "parent"
--------------------
Group name: parent
GID: 1315800009
[root@master ~]# ipa group-add-member parent --group child1
Group name: parent
GID: 1315800009
Member groups: child1
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member parent --group child2
Group name: parent
GID: 1315800009
Member groups: child1, child2
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member child1 --user user1
Group name: child1
GID: 1315800007
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member child2 --user user1
Group name: child2
GID: 1315800008
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@master ~]# sss_cache -E
[root@master ~]# id user1
uid=1315800006(user1) gid=1315800006(user1) groups=1315800006(user1),1315800009(parent),1315800008(child2),1315800007(child1)
[root@master ~]# sss_cache -E
[root@master ~]# getent group parent
parent:*:1315800009:user1
[root@master ~]# sss_cache -E
[root@master ~]#    ipa user-show user1
User login: user1
First name: user
Last name: 1
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1315800006
GID: 1315800006
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent
Kerberos keys available: False
[root@master ~]# ipa group-remove-member parent --group child1
Group name: parent
GID: 1315800009
Member groups: child2
Indirect Member users: user1
---------------------------
Number of members removed 1
---------------------------
[root@master ~]# sss_cache -E
[root@master ~]# id user1
uid=1315800006(user1) gid=1315800006(user1) groups=1315800006(user1),1315800007(child1),1315800008(child2),1315800009(parent)           <---------------    parent present
[root@master ~]# sss_cache -E
[root@master ~]# getent group parent
parent:*:1315800009:user1                                                                <------------------------------------ user1 present
[root@master ~]# sss_cache -E
[root@master ~]# ipa user-show user1
User login: user1
First name: user
Last name: 1
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1315800006
GID: 1315800006
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent                                                          <---------------------------- parent present
Kerberos keys available: False
[root@master ~]#
Comment 12 errata-xmlrpc 2020-04-01 01:59:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1254