RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1817380 - Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups [rhel-7.8.z]
Summary: Removing an IPA sub-group should NOT remove the members from indirect parent ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Alexey Tikhonov
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1782087
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-26 09:09 UTC by RAD team bot copy to z-stream
Modified: 2023-12-15 17:34 UTC (History)
18 users (show)

Fixed In Version: sssd-1.16.4-37.el7_8.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1782087
Environment:
Last Closed: 2020-05-12 18:39:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2090 0 None None None 2020-05-12 18:39:54 UTC

Description RAD team bot copy to z-stream 2020-03-26 09:09:56 UTC 
This bug has been copied from bug #1782087 and has been proposed to be backported to 7.8 z-stream (EUS).
Comment 2 Alexey Tikhonov 2020-03-27 19:59:11 UTC 
* `sssd-1-16`
    * 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member
Comment 5 Sumedh Sidhaye 2020-05-04 07:13:02 UTC 
Reproducer:

root@master ~]# kinit admin
Password for admin: 
[root@master ~]# 
[root@master ~]# ipa user-add user1
First name: user
Last name: one
------------------
Added user "user1"
------------------
  User login: user1
  First name: user
  Last name: one
  Full name: user one
  Display name: user one
  Initials: uo
  Home directory: /home/user1
  GECOS: user one
  Login shell: /bin/sh
  Principal name: user1
  Principal alias: user1
  Email address: user1
  UID: 1725400001
  GID: 1725400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master ~]#    ipa group-add child1
--------------------
Added group "child1"
--------------------
  Group name: child1
  GID: 1725400003
[root@master ~]#    ipa group-add child2
--------------------
Added group "child2"
--------------------
  Group name: child2
  GID: 1725400004
[root@master ~]#    ipa group-add parent
--------------------
Added group "parent"
--------------------
  Group name: parent
  GID: 1725400005
[root@master ~]#    ipa group-add-member parent --group child1
  Group name: parent
  GID: 1725400005
  Member groups: child1
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member parent --group child2
  Group name: parent
  GID: 1725400005
  Member groups: child1, child2
-------------------------
Number of members added 1
-------------------------
[root@master ~]#    ipa group-add-member child1 --user user1
  Group name: child1
  GID: 1725400003
  Member users: user1
  Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@master ~]#    ipa group-add-member child2 --user user1
  Group name: child2
  GID: 1725400004
  Member users: user1
  Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@master ~]# sss_
sss_cache                sss_ssh_knownhostsproxy
sss_ssh_authorizedkeys   
[root@master ~]# sss_
sss_cache                sss_ssh_knownhostsproxy
sss_ssh_authorizedkeys   
[root@master ~]# sss_cache -E; systemctl restart sssd
No cache object matched the specified search
[root@master ~]# id user1
uid=1725400001(user1) gid=1725400001(user1) groups=1725400001(user1),1725400005(parent),1725400004(child2),1725400003(child1)
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# getent group parent
parent:*:1725400005:user1
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# ipa user-show user1
  User login: user1
  First name: user
  Last name: one
  Home directory: /home/user1
  Login shell: /bin/sh
  Principal name: user1
  Principal alias: user1
  Email address: user1
  UID: 1725400001
  GID: 1725400001
  Account disabled: False
  Password: False
  Member of groups: ipausers, child1, child2
  Indirect Member of group: parent
  Kerberos keys available: False
[root@master ~]# ipa group-remove-member parent --group child1
  Group name: parent
  GID: 1725400005
  Member groups: child2
  Indirect Member users: user1
---------------------------
Number of members removed 1
---------------------------
[root@master ~]# sss_cache -E; systemctl restart sssd
(reverse-i-search)`i': kl^Ct
[root@master ~]# id user1
uid=1725400001(user1) gid=1725400001(user1) groups=1725400001(user1),1725400003(child1),1725400004(child2)
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# getent group parent
parent:*:1725400005:
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# ipa user-show user1
  User login: user1
  First name: user
  Last name: one
  Home directory: /home/user1
  Login shell: /bin/sh
  Principal name: user1
  Principal alias: user1
  Email address: user1
  UID: 1725400001
  GID: 1725400001
  Account disabled: False
  Password: False
  Member of groups: ipausers, child1, child2
  Indirect Member of group: parent
  Kerberos keys available: False
[root@master ~]# 


Verification:


master:

[root@ci-vm-10-0-136-184 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.8 (Maipo)
[root@ci-vm-10-0-136-184 ~]# 

[root@ci-vm-10-0-136-184 ~]# rpm -q ipa-server sssd
ipa-server-4.6.6-11.el7.x86_64
sssd-1.16.4-37.el7_8.3.x86_64
[root@ci-vm-10-0-136-184 ~]# 


client:

[root@ci-vm-10-0-137-198 ~]# rpm -q sssd ipa-client; cat /etc/redhat-release 
sssd-1.16.4-37.el7_8.3.x86_64
ipa-client-4.6.6-11.el7.x86_64
Red Hat Enterprise Linux Server release 7.8 (Maipo)
[root@ci-vm-10-0-137-198 ~]# 



[root@ci-vm-10-0-136-184 ~]# kinit admin
Password for admin: 
[root@ci-vm-10-0-136-184 ~]# sh -x test.sh 
+ ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
  Rule name: any_to_any
  User category: all
  Host category: all
  Service category: all
  Enabled: TRUE
+ ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
  User login: u1
  First name: u
  Last name: 1
  Full name: u 1
  Display name: u 1
  Initials: u1
  Home directory: /home/u1
  GECOS: u 1
  Login shell: /bin/sh
  Principal name: u1
  Principal alias: u1
  Email address: u1
  UID: 1946400001
  GID: 1946400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
+ ipa passwd u1
New Password: 
Enter New Password again to verify: 
----------------------------------------
Changed password for "u1"
----------------------------------------
+ ipa group-add a
---------------
Added group "a"
---------------
  Group name: a
  GID: 1946400003
+ ipa group-add b
---------------
Added group "b"
---------------
  Group name: b
  GID: 1946400004
+ ipa group-add c
---------------
Added group "c"
---------------
  Group name: c
  GID: 1946400005
+ ipa group-add-member --groups=a b
  Group name: b
  GID: 1946400004
  Member groups: a
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member --groups=b c
  Group name: c
  GID: 1946400005
  Member groups: b
  Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member --users=u1 a
  Group name: a
  GID: 1946400003
  Member users: u1
  Member of groups: b
  Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
+ ipa user-show u1
+ grep group
  Member of groups: a, ipausers
  Indirect Member of group: b, c
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# ipa host-find
---------------
2 hosts matched
---------------
  Host name: client.testrealm.test
  Principal name: host/client.testrealm.test
  Principal alias: host/client.testrealm.test
  SSH public key fingerprint: SHA256:m2utdyUAx6Nf/02hj3rHm7WN6HkyaTid9nUAcOYwMXM (ssh-rsa), SHA256:QqlBB6kYUi1lHH8mx6q/XHU0Li/rNmMPUXpG6slJp5Q
                              (ecdsa-sha2-nistp256), SHA256:4b2/up76zFy7gCqJoCqZ6nImnOADdla1puOT51YKmCg (ssh-ed25519)

  Host name: master.testrealm.test
  Principal name: host/master.testrealm.test
  Principal alias: host/master.testrealm.test
  SSH public key fingerprint: SHA256:m2utdyUAx6Nf/02hj3rHm7WN6HkyaTid9nUAcOYwMXM (ssh-rsa), SHA256:QqlBB6kYUi1lHH8mx6q/XHU0Li/rNmMPUXpG6slJp5Q
                              (ecdsa-sha2-nistp256), SHA256:4b2/up76zFy7gCqJoCqZ6nImnOADdla1puOT51YKmCg (ssh-ed25519)
----------------------------
Number of entries returned 2
----------------------------


[root@ci-vm-10-0-136-184 ~]# ssh -q u1.test groups
Password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c


[root@ci-vm-10-0-136-184 ~]# ipa group-add-member --users=u1 b
  Group name: b
  GID: 1946400004
  Member users: u1
  Member groups: a
  Member of groups: c
-------------------------
Number of members added 1
-------------------------


on client:

[root@ci-vm-10-0-137-198 ~]# ssh -q u1.test groups
Password: 
u1 a b c
Could not chdir to home directory /home/u1: No such file or directory


on master:
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]#  ipa group-remove-member --users=u1 b
  Group name: b
  GID: 1946400004
  Member groups: a
  Member of groups: c
  Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------



on client:

[root@ci-vm-10-0-137-198 ~]# ssh -q u1.test groups
Password: 
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
[root@ci-vm-10-0-137-198 ~]# 




[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# id u1
uid=1946400001(u1) gid=1946400001(u1) groups=1946400001(u1),1946400005(c),1946400004(b),1946400003(a)               
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# getent group a
a:*:1946400003:u1                                                       
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# ipa user-show u1
  User login: u1
  First name: u
  Last name: 1
  Home directory: /home/u1
  Login shell: /bin/sh
  Principal name: u1
  Principal alias: u1
  Email address: u1
  UID: 1946400001
  GID: 1946400001
  Account disabled: False
  Password: True
  Member of groups: a, ipausers      
  Indirect Member of group: b, c
  Kerberos keys available: True
[root@ci-vm-10-0-136-184 ~]#
Comment 7 errata-xmlrpc 2020-05-12 18:39:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2090
Note You need to log in before you can comment on or make changes to this bug.