Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1837090

Summary: SSSD fails nss_getby_name for IPA user with SID if the user has user private group
Product: Red Hat Enterprise Linux 8 Reporter: Alexander Bokovoy <abokovoy>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Jakub Vavra <jvavra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: atikhono, dlavu, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sbose, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.5.1-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:46:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Bokovoy 2020-05-18 19:31:53 UTC
In IPA domain, with trust support enabled, SSSD fails to retrieve IPA user's SID if there is a user private group associated with the user (default IPA setup):

[root@master ~]# ipa user-add some-user
First name: Some
Last name: User
----------------------
Added user "some-user"
----------------------
  User login: some-user
  First name: Some
  Last name: User
  Full name: Some User
  Display name: Some User
  Initials: SU
  Home directory: /home/some-user
  GECOS: Some User
  Login shell: /bin/sh
  Principal name: some-user
  Principal alias: some-user
  Email address: some-user
  UID: 1908200011
  GID: 1908200011
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master ~]# id IPA\\some-user
uid=1908200011(some-user) gid=1908200011(some-user) groups=1908200011(some-user)

The use case here is that an application performs a getsidbyname lookup against SSSD API:

[root@master ~]# python
Python 3.8.2 (default, Feb 28 2020, 00:00:00) 
[GCC 10.0.1 20200216 (Red Hat 10.0.1-0.8)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-3787809381-104084847-3373960542-500', 'type': 1}}
>>> pysss_nss_idmap.getsidbyname('IPA\\some-user')
{}
>>> pysss_nss_idmap.getsidbyname('IPA\\some-user')
{}
>>> 

We can see in the sssd_nss.log that it stumbled upon a UPG without SID:

(Mon May 18 19:18:47 2020) [sssd[nss]] [get_client_cred] (0x4000): Client [0x55bd9dc69480][27] creds: euid[0] egid[0] pid[274415] cmd_line['python'].
(Mon May 18 19:18:47 2020) [sssd[nss]] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x55bd9dc69480][27]
(Mon May 18 19:18:47 2020) [sssd[nss]] [accept_fd_handler] (0x0400): Client [0x55bd9dc69480][27] connected!
(Mon May 18 19:18:47 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Mon May 18 19:18:47 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Mon May 18 19:18:47 2020) [sssd[nss]] [nss_getby_name] (0x0400): Input name: IPA\some-user
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #122: Setting "Object by name" plugin
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #122: New request 'Object by name'
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_process_input] (0x0400): CR #122: Parsing input name [IPA\some-user]
(Mon May 18 19:18:47 2020) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain ipa.test is Active
(Mon May 18 19:18:47 2020) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'IPA\some-user' matched expression for domain 'ipa.test', user is some-user
(Mon May 18 19:18:47 2020) [sssd[nss]] [nss_get_object_send] (0x0400): Client [0x55bd9dc69480][27]: sent cache request #122
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_set_name] (0x0400): CR #122: Setting name [some-user]
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #122: Performing a single domain search
(Mon May 18 19:18:47 2020) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain implicit_files is Active
(Mon May 18 19:18:47 2020) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain ipa.test is Active
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #122: Search will check the cache and check the data provider
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain ipa.test type POSIX is valid
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #122: Using domain [ipa.test]
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #122: Preparing input data for domain [ipa.test] rules
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #122: Looking up some-user
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #122: Checking negative cache for [some-user]
(Mon May 18 19:18:47 2020) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ipa.test/some-user]
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #122: [some-user] is not present in negative cache
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #122: Looking up [some-user] in cache
(Mon May 18 19:18:47 2020) [sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x55bd9dc6c280

(Mon May 18 19:18:47 2020) [sssd[nss]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x55bd9dc59ea0

(Mon May 18 19:18:47 2020) [sssd[nss]] [ldb] (0x4000): Running timer event 0x55bd9dc6c280 "ldb_kv_callback"

(Mon May 18 19:18:47 2020) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bd9dc59ea0 "ldb_kv_timeout"

(Mon May 18 19:18:47 2020) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x55bd9dc6c280 "ldb_kv_callback"

(Mon May 18 19:18:47 2020) [sssd[nss]] [sysdb_search_object_attr] (0x0020): Search with filter [(&(|(objectCategory=user)(objectCategory=group))(|(nameAlias=some-user)(name=some-user)))] returned more than one object.
(Mon May 18 19:18:47 2020) [sssd[nss]] [sysdb_search_object_attr] (0x0040): Error: 22 (Invalid argument)
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_search_cache] (0x0020): CR #122: Unable to lookup [some-user] in cache [22]: Invalid argument
(Mon May 18 19:18:47 2020) [sssd[nss]] [cache_req_process_result] (0x0400): CR #122: Finished: Error 22: Invalid argument
(Mon May 18 19:18:47 2020) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [22]: Invalid argument
(Mon May 18 19:18:47 2020) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Mon May 18 19:18:47 2020) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x55bd9dc69480][27]

There is nothing in the domain log for that specific request because information was cached by the 'id' call few seconds before:

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_initgr_user] (0x4000): Process user's groups
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_primary_name] (0x0400): Processing object some-user
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_has_deref_support_ex] (0x0400): The server supports deref method OpenLDAP
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_print_server] (0x2000): Searching 10.0.106.211:389
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test].
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaExternalMember]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_op_add] (0x2000): New operation 14 timeout 6
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_result] (0x2000): Trace: sh[0x561a95868ae0], connected[1], ops[0x561a95837be0], ldap[0x561a95776890]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_result] (0x2000): Trace: sh[0x561a95868ae0], connected[1], ops[0x561a95837be0], ldap[0x561a95776890]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test].
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_parse_range] (0x2000): No sub-attributes for [member]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_result] (0x2000): Trace: sh[0x561a95868ae0], connected[1], ops[0x561a95837be0], ldap[0x561a95776890]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_op_destructor] (0x2000): Operation 14 finished
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a95841a70

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583cf10

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583cf10 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_add_incomplete_groups] (0x1000): Group #0 [ipausers][ipausers] is not cached, need to add a fake entry
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_primary_name] (0x0400): Processing object ipausers
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_add_incomplete_groups] (0x1000): The group ipausers gid was missing
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_add_incomplete_groups] (0x0400): Marking group ipausers as non-POSIX and setting GID=0!
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_add_incomplete_groups] (0x2000): Adding fake group ipausers to sysdb
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 3)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a95841a70
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583cf10

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583cf10 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 3)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9687ea00

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583eab0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583eab0 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a95841a70

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583cf10

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583cf10 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sysdb_ldb_msg_difference] (0x2000): Added attr [lastUpdate] to entry [name=ipausers,cn=groups,cn=ipa.test,cn=sysdb]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 3)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a95841a70

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583cf10

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583cf10 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 3)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a95848bb0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a95841a70

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a95848bb0 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a95841a70 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a95848bb0 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sysdb_set_entry_attr] (0x0200): Entry [name=ipausers,cn=groups,cn=ipa.test,cn=sysdb] has set [cache, ts_cache] attrs.
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 2)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 1)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_primary_name] (0x0400): Processing object ipausers
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectCategory=group)(member=name=ipausers,cn=groups,cn=ipa.test,cn=sysdb))]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a95841a70

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583cf10

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583cf10 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sysdb_get_direct_parents] (0x1000): ipausers is a member of 0 sysdb groups
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_initgr_nested_get_direct_parents] (0x4000): Looking up direct parents for group [cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_initgr_nested_get_direct_parents] (0x4000): The group [cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test] has 0 direct parents
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a direct member of 0 LDAP groups
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 2)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 1)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_initgr_store_user_memberships] (0x1000): The user some-user is a direct member of 1 LDAP groups
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectCategory=group)(member=name=some-user,cn=users,cn=ipa.test,cn=sysdb))]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a95841a70

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583cf10

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583cf10 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a95841a70 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sysdb_get_direct_parents] (0x1000): some-user is a member of 0 sysdb groups
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for some-user
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sss_domain_get_state] (0x1000): Domain ipa.test is Active
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): start ldb transaction (nesting: 3)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9583cf10

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9687ea00

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9583cf10 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9582f1d0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9687c0f0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687ea00 "ldb_kv_timeout"
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583cf10 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9582f1d0 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a968824f0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9687f410

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687c0f0 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9582f1d0 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a968824f0 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9687c0f0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a96886550

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687f410 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a968824f0 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9687c0f0 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9687f410

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a96881d30

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a96886550 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687c0f0 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9687f410 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a96881d30 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687f410 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 3)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 2)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 1)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_initgr_done] (0x4000): Initgroups done
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9687ea00

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583eab0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583eab0 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9687ea00

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583eab0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583eab0 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_initgr_done] (0x0400): Primary group already cached, nothing to do.
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_initgr_done] (0x4000): No need to check for domain local group memberships.
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9687ea00

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583eab0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583eab0 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9687ea00

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583eab0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583eab0 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_callback": 0x561a9687ea00

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Added timed event "ldb_kv_timeout": 0x561a9583eab0

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Running timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9583eab0 "ldb_kv_timeout"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ldb] (0x4000): Destroying timer event 0x561a9687ea00 "ldb_kv_callback"

(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:ipa.test:571fa34c-993c-11ea-b112-fa163efaafc4))].
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_print_server] (0x2000): Searching 10.0.106.211:389
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:ipa.test:571fa34c-993c-11ea-b112-fa163efaafc4))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=test].
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_op_add] (0x2000): New operation 15 timeout 6
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_result] (0x2000): Trace: sh[0x561a95868ae0], connected[1], ops[0x561a96882230], ldap[0x561a95776890]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_result] (0x2000): Trace: sh[0x561a95868ae0], connected[1], ops[0x561a96882230], ldap[0x561a95776890]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_op_destructor] (0x2000): Operation 15 finished
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:ipa.test:571fa34c-993c-11ea-b112-fa163efaafc4))].
(Mon May 18 19:18:44 2020) [sssd[be[ipa.test]]] [sdap_id_op_destroy] (0x4000): releasing operation connection

Comment 2 Sumit Bose 2020-05-19 06:13:41 UTC
Hi Alexander,

thanks for the report. The issue is that from the LDAP client perspective there are really 2 LDAP objects on the IPA side although by default the group object is a managed object and does not get a SID assigned. But in general, thanks to different name spaces for user and group names on the Unix side, it would be possible to create a user and a group with the same name, where uid and gid have the same value and both get a SID assigned, one from the secondary range:

# ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd-RHEL75-DEVEL.socket -b 'dc=rhel75,dc=devel' '(|(cn=some-user-x)(uid=some-user-x))'  dn ipaNTSecurityIdentifier uidNumber gidNumber
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=some-user-x,cn=groups,cn=accounts,dc=rhel75,dc=devel
ipaNTSecurityIdentifier: S-1-5-21-2570728348-66687643-3266097796-1030
gidNumber: 1999600030

dn: uid=some-user-x,cn=users,cn=accounts,dc=rhel75,dc=devel
ipaNTSecurityIdentifier: S-1-5-21-2570728348-66687643-3266097796-100000030
uidNumber: 1999600030
gidNumber: 1999600030


So my suggestion would be that SSSD does some extra checks if there are multiple object with the same name. In the sidbyname case we can check if the found objects have a SID and if there is only one we return this. If there is a user and a group object with matching uid and gid and different SIDs it might be possible to return ID_BOTH as type but I'm not sure which of the 2 SIDs will cause less inconsistencies in this case? So I think it might be better to return ID_USER and the user's SID in this case. Do you agree?

bye,
Sumit

Comment 3 Alexander Bokovoy 2020-05-19 06:17:43 UTC
I would suggest to use objectclass=mepManagedEntry to filter out these objects.

Or, alternatively, do not filter them but if you found objectclass=mepManagedEntry in the group entry, assume user and group are ID_BOTH.

There is no way in FreeIPA to have a MEP entry that would have automatically generated SID, I tried that before reporting this bug.

Comment 4 Sumit Bose 2020-05-19 06:34:47 UTC
(In reply to Alexander Bokovoy from comment #3)
> I would suggest to use objectclass=mepManagedEntry to filter out these
> objects.
> 
> Or, alternatively, do not filter them but if you found
> objectclass=mepManagedEntry in the group entry, assume user and group are
> ID_BOTH.
> 
> There is no way in FreeIPA to have a MEP entry that would have automatically
> generated SID, I tried that before reporting this bug.

Yes, this would be possible as well, but would only handle the default user-private-group case not the one where there are two distinct object with different SIDs but same names, UIDs and GIDs. Shall we treat this case as an error and return nothing?

byem
Sumit

Comment 5 Alexander Bokovoy 2020-05-19 06:48:15 UTC
If you have two distinct objects with different SIDs but the same name, UIDs and GIDs, that would probably be a result of manual assignment of those values. In FreeIPA you would probably achieve this with

ipa user-add foobar
ipa group-detach foobar

and then manually assign ipaNTSecurityIdentifier value to the group 'foobar' while at the same time adding ipaNTGroupAttrs objectclass. I would say that this is pretty much an artificial use case because this SID cannot be created automatically with sidgen plugin.

[root@master ~]# ipa user-add auser
First name: A
Last name: User
------------------
Added user "auser"
------------------
  User login: auser
  First name: A
  Last name: User
  Full name: A User
  Display name: A User
  Initials: AU
  Home directory: /home/auser
  GECOS: A User
  Login shell: /bin/sh
  Principal name: auser
  Principal alias: auser
  Email address: auser
  UID: 1908200012
  GID: 1908200012
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master ~]# ipa group-detach auser
----------------------------------------
Detached group "auser" from user "auser"
----------------------------------------
[root@master ~]# ipa group-show --all --raw auser
  dn: cn=auser,cn=groups,cn=accounts,dc=ipa,dc=test
  cn: auser
  description: User private group for auser
  gidnumber: 1908200012
  ipaUniqueID: 599e8b88-999b-11ea-84bd-fa163efaafc4
  objectClass: posixgroup
  objectClass: ipaobject
  objectClass: top
  objectClass: nestedgroup
  objectClass: ipausergroup
  objectClass: groupofnames
[root@master ~]# ipa user-show --all --raw auser
  dn: uid=auser,cn=users,cn=accounts,dc=ipa,dc=test
  uid: auser
  givenname: A
  sn: User
  cn: A User
  initials: AU
  homedirectory: /home/auser
  gecos: A User
  loginshell: /bin/sh
  krbcanonicalname: auser
  krbprincipalname: auser
  mail: auser
  uidnumber: 1908200012
  gidnumber: 1908200012
  nsaccountlock: FALSE
  has_password: FALSE
  has_keytab: FALSE
  displayName: A User
  ipaNTSecurityIdentifier: S-1-5-21-3787809381-104084847-3373960542-1012
  ipaUniqueID: 599ae668-999b-11ea-84bd-fa163efaafc4
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: top
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: krbprincipalaux
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
  objectClass: ipantuserattrs
[root@master ~]# ipa group-mod auser --addattr=objectclass=ipantgroupattrs --addattr=ipantsecurityidentifier=S-1-5-21-3787809381-104084847-3373960542-9999
----------------------
Modified group "auser"
----------------------
  Group name: auser
  Description: User private group for auser
  GID: 1908200012
[root@master ~]# ipa group-show --all --raw auser
  dn: cn=auser,cn=groups,cn=accounts,dc=ipa,dc=test
  cn: auser
  description: User private group for auser
  gidnumber: 1908200012
  ipaNTSecurityIdentifier: S-1-5-21-3787809381-104084847-3373960542-9999
  ipaUniqueID: 599e8b88-999b-11ea-84bd-fa163efaafc4
  objectClass: posixgroup
  objectClass: ipaobject
  objectClass: top
  objectClass: nestedgroup
  objectClass: ipausergroup
  objectClass: groupofnames
  objectClass: ipantgroupattrs
[root@master ~]# 

I'm not sure we should support this case. On the other hand, a case where a group was detached but SID was never added might make sense to map back to user's SID if GID == UID.

Comment 6 Sumit Bose 2020-05-19 07:00:01 UTC
Hi,

I was doing:

    ipa group-add some-user-x
    ipa user-add some-user-x --uid=$GID_OF_SOME_USER_X_GROUP --gidnumber=$GID_OF_SOME_USER_X_GROUP --noprivate

and got different SIDs for both. I wonder if similar setups can be found on systems which were migrated from an existing LDAP infrastructure to IPA?

bye,
Sumit

Comment 7 Alexander Bokovoy 2020-05-19 08:09:16 UTC
Yes, that is possible too.

Well, then we need to support both...

Comment 9 Sumit Bose 2021-04-27 08:47:22 UTC
Upstream ticket:
https://github.com/SSSD/sssd/issues/5607

Comment 12 Pavel Březina 2021-05-25 10:25:31 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/5608

* `master`
    * 9cb89666eae3ab2d4a93fb531fc29e433356391f - nss: fix getsidbyname for IPA user-private-groups

Comment 20 errata-xmlrpc 2021-11-09 19:46:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4435