Bug 1967641 - Regression: 'usermod -G' fails if user has any remote groups
Summary: Regression: 'usermod -G' fails if user has any remote groups
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: shadow-utils
Version: 8.4
Hardware: All
OS: Linux
Target Milestone: beta
: ---
Assignee: Iker Pedrosa
QA Contact: Anuj Borah
Whiteboard: sync-to-jira
Depends On:
Blocks: 1975327 1975329
TreeView+ depends on / blocked
Reported: 2021-06-03 14:15 UTC by Michael Catanzaro
Modified: 2021-11-10 08:24 UTC (History)
4 users (show)

Fixed In Version: shadow-utils-4.6-14.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1975327 1975329 (view as bug list)
Last Closed: 2021-11-09 19:42:14 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github shadow-maint shadow issues 338 0 None open Regression: 'usermod -G' fails if user has any remote groups 2021-06-03 14:16:04 UTC
Red Hat Product Errata RHBA-2021:4417 0 None None None 2021-11-09 19:42:20 UTC

Description Michael Catanzaro 2021-06-03 14:15:08 UTC
Description of problem: Since bug #1727236 was fixed, 'usermod -G' now fails if the user is a member of any remote groups. This breaks accountsservice's org.freedesktop.Accounts.User.SetAccountType method.

Version-Release number of selected component (if applicable): shadow-utils-2:4.6-12.el8

How reproducible: Always

Steps to Reproduce:
1. Somehow add user to remote group (either by enrolling with IPA server or with Active Directory)... this is hard, don't ask me how :)
2. Try to change user's account type from standard to administrator or vice-versa in gnome-control-center. Or do it manually via D-Bus.

Actual results:

$ gdbus call --system --dest org.freedesktop.Accounts --object-path /org/freedesktop/Accounts/User1636600000 --method org.freedesktop.Accounts.User.SetAccountType 1
Error: GDBus.Error:org.freedesktop.Accounts.Error.Failed: running '/usr/sbin/usermod' failed: Child process exited with code 6

Expected results: There should be no error!

Additional info: See https://github.com/shadow-maint/shadow/issues/338 for upstream discussion. The problem is the patch added in bug #1727236 doesn't just prevent adding users to remote groups, it also prevents *not removing* users from remote groups, i.e. it prevents us from keeping remote group membership unchanged. In order to add the user to a new local group, we now have to remove all the user's remote group memberships, since that's the only way to prevent usermod from claiming the groups don't exist.

Comment 1 Iker Pedrosa 2021-06-24 07:58:50 UTC
As a solution the patch provided to fix bug #1727236 will be reverted

Comment 7 errata-xmlrpc 2021-11-09 19:42:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (shadow-utils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.