Bug 1817380
| Summary: | Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups [rhel-7.8.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
| Component: | sssd | Assignee: | Alexey Tikhonov <atikhono> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.7 | CC: | atikhono, bthekkep, dchen, grajaiya, ipa-qe, jhrozek, ksiddiqu, lslebodn, mzidek, ndehadra, pbrezina, sbose, sgoveas, ssidhaye, thalman, tscherf, yoguma, yuriy.halytskyy |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.16.4-37.el7_8.3 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1782087 | Environment: | |
| Last Closed: | 2020-05-12 18:39:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1782087 | ||
| Bug Blocks: | |||
|
Description
RAD team bot copy to z-stream
2020-03-26 09:09:56 UTC
* `sssd-1-16`
* 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca - memberof: keep memberOf attribute for nested member
Reproducer:
root@master ~]# kinit admin
Password for admin:
[root@master ~]#
[root@master ~]# ipa user-add user1
First name: user
Last name: one
------------------
Added user "user1"
------------------
User login: user1
First name: user
Last name: one
Full name: user one
Display name: user one
Initials: uo
Home directory: /home/user1
GECOS: user one
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1725400001
GID: 1725400001
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# ipa group-add child1
--------------------
Added group "child1"
--------------------
Group name: child1
GID: 1725400003
[root@master ~]# ipa group-add child2
--------------------
Added group "child2"
--------------------
Group name: child2
GID: 1725400004
[root@master ~]# ipa group-add parent
--------------------
Added group "parent"
--------------------
Group name: parent
GID: 1725400005
[root@master ~]# ipa group-add-member parent --group child1
Group name: parent
GID: 1725400005
Member groups: child1
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member parent --group child2
Group name: parent
GID: 1725400005
Member groups: child1, child2
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member child1 --user user1
Group name: child1
GID: 1725400003
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member child2 --user user1
Group name: child2
GID: 1725400004
Member users: user1
Member of groups: parent
-------------------------
Number of members added 1
-------------------------
[root@master ~]# sss_
sss_cache sss_ssh_knownhostsproxy
sss_ssh_authorizedkeys
[root@master ~]# sss_
sss_cache sss_ssh_knownhostsproxy
sss_ssh_authorizedkeys
[root@master ~]# sss_cache -E; systemctl restart sssd
No cache object matched the specified search
[root@master ~]# id user1
uid=1725400001(user1) gid=1725400001(user1) groups=1725400001(user1),1725400005(parent),1725400004(child2),1725400003(child1)
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# getent group parent
parent:*:1725400005:user1
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# ipa user-show user1
User login: user1
First name: user
Last name: one
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1725400001
GID: 1725400001
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent
Kerberos keys available: False
[root@master ~]# ipa group-remove-member parent --group child1
Group name: parent
GID: 1725400005
Member groups: child2
Indirect Member users: user1
---------------------------
Number of members removed 1
---------------------------
[root@master ~]# sss_cache -E; systemctl restart sssd
(reverse-i-search)`i': kl^Ct
[root@master ~]# id user1
uid=1725400001(user1) gid=1725400001(user1) groups=1725400001(user1),1725400003(child1),1725400004(child2)
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# getent group parent
parent:*:1725400005:
[root@master ~]# sss_cache -E; systemctl restart sssd
[root@master ~]# ipa user-show user1
User login: user1
First name: user
Last name: one
Home directory: /home/user1
Login shell: /bin/sh
Principal name: user1
Principal alias: user1
Email address: user1
UID: 1725400001
GID: 1725400001
Account disabled: False
Password: False
Member of groups: ipausers, child1, child2
Indirect Member of group: parent
Kerberos keys available: False
[root@master ~]#
Verification:
master:
[root@ci-vm-10-0-136-184 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 (Maipo)
[root@ci-vm-10-0-136-184 ~]#
[root@ci-vm-10-0-136-184 ~]# rpm -q ipa-server sssd
ipa-server-4.6.6-11.el7.x86_64
sssd-1.16.4-37.el7_8.3.x86_64
[root@ci-vm-10-0-136-184 ~]#
client:
[root@ci-vm-10-0-137-198 ~]# rpm -q sssd ipa-client; cat /etc/redhat-release
sssd-1.16.4-37.el7_8.3.x86_64
ipa-client-4.6.6-11.el7.x86_64
Red Hat Enterprise Linux Server release 7.8 (Maipo)
[root@ci-vm-10-0-137-198 ~]#
[root@ci-vm-10-0-136-184 ~]# kinit admin
Password for admin:
[root@ci-vm-10-0-136-184 ~]# sh -x test.sh
+ ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
----------------------------
Added HBAC rule "any_to_any"
----------------------------
Rule name: any_to_any
User category: all
Host category: all
Service category: all
Enabled: TRUE
+ ipa user-add --first=u --last=1 u1
---------------
Added user "u1"
---------------
User login: u1
First name: u
Last name: 1
Full name: u 1
Display name: u 1
Initials: u1
Home directory: /home/u1
GECOS: u 1
Login shell: /bin/sh
Principal name: u1
Principal alias: u1
Email address: u1
UID: 1946400001
GID: 1946400001
Password: False
Member of groups: ipausers
Kerberos keys available: False
+ ipa passwd u1
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "u1"
----------------------------------------
+ ipa group-add a
---------------
Added group "a"
---------------
Group name: a
GID: 1946400003
+ ipa group-add b
---------------
Added group "b"
---------------
Group name: b
GID: 1946400004
+ ipa group-add c
---------------
Added group "c"
---------------
Group name: c
GID: 1946400005
+ ipa group-add-member --groups=a b
Group name: b
GID: 1946400004
Member groups: a
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member --groups=b c
Group name: c
GID: 1946400005
Member groups: b
Indirect Member groups: a
-------------------------
Number of members added 1
-------------------------
+ ipa group-add-member --users=u1 a
Group name: a
GID: 1946400003
Member users: u1
Member of groups: b
Indirect Member of group: c
-------------------------
Number of members added 1
-------------------------
+ ipa user-show u1
+ grep group
Member of groups: a, ipausers
Indirect Member of group: b, c
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# ipa host-find
---------------
2 hosts matched
---------------
Host name: client.testrealm.test
Principal name: host/client.testrealm.test
Principal alias: host/client.testrealm.test
SSH public key fingerprint: SHA256:m2utdyUAx6Nf/02hj3rHm7WN6HkyaTid9nUAcOYwMXM (ssh-rsa), SHA256:QqlBB6kYUi1lHH8mx6q/XHU0Li/rNmMPUXpG6slJp5Q
(ecdsa-sha2-nistp256), SHA256:4b2/up76zFy7gCqJoCqZ6nImnOADdla1puOT51YKmCg (ssh-ed25519)
Host name: master.testrealm.test
Principal name: host/master.testrealm.test
Principal alias: host/master.testrealm.test
SSH public key fingerprint: SHA256:m2utdyUAx6Nf/02hj3rHm7WN6HkyaTid9nUAcOYwMXM (ssh-rsa), SHA256:QqlBB6kYUi1lHH8mx6q/XHU0Li/rNmMPUXpG6slJp5Q
(ecdsa-sha2-nistp256), SHA256:4b2/up76zFy7gCqJoCqZ6nImnOADdla1puOT51YKmCg (ssh-ed25519)
----------------------------
Number of entries returned 2
----------------------------
[root@ci-vm-10-0-136-184 ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
[root@ci-vm-10-0-136-184 ~]# ipa group-add-member --users=u1 b
Group name: b
GID: 1946400004
Member users: u1
Member groups: a
Member of groups: c
-------------------------
Number of members added 1
-------------------------
on client:
[root@ci-vm-10-0-137-198 ~]# ssh -q u1.test groups
Password:
u1 a b c
Could not chdir to home directory /home/u1: No such file or directory
on master:
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# ipa group-remove-member --users=u1 b
Group name: b
GID: 1946400004
Member groups: a
Member of groups: c
Indirect Member users: u1
---------------------------
Number of members removed 1
---------------------------
on client:
[root@ci-vm-10-0-137-198 ~]# ssh -q u1.test groups
Password:
Could not chdir to home directory /home/u1: No such file or directory
u1 a b c
[root@ci-vm-10-0-137-198 ~]#
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# id u1
uid=1946400001(u1) gid=1946400001(u1) groups=1946400001(u1),1946400005(c),1946400004(b),1946400003(a)
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# getent group a
a:*:1946400003:u1
[root@ci-vm-10-0-136-184 ~]# systemctl stop sssd; find /var/lib/sss/ ! -type d -delete; systemctl restart sssd
[root@ci-vm-10-0-136-184 ~]# ipa user-show u1
User login: u1
First name: u
Last name: 1
Home directory: /home/u1
Login shell: /bin/sh
Principal name: u1
Principal alias: u1
Email address: u1
UID: 1946400001
GID: 1946400001
Account disabled: False
Password: True
Member of groups: a, ipausers
Indirect Member of group: b, c
Kerberos keys available: True
[root@ci-vm-10-0-136-184 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2090 |