1967641 – Regression: 'usermod -G' fails if user has any remote groups

Bug 1967641 - Regression: 'usermod -G' fails if user has any remote groups

Summary: Regression: 'usermod -G' fails if user has any remote groups

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	shadow-utils
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	Iker Pedrosa
QA Contact:	Anuj Borah
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:	1975327 1975329
TreeView+	depends on / blocked

Reported:	2021-06-03 14:15 UTC by Michael Catanzaro
Modified:	2021-11-10 08:24 UTC (History)
CC List:	4 users (show)
Fixed In Version:	shadow-utils-4.6-14.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1975327 1975329 (view as bug list)
Environment:
Last Closed:	2021-11-09 19:42:14 UTC
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	shadow-maint shadow issues 338	0	None	open	Regression: 'usermod -G' fails if user has any remote groups	2021-06-03 14:16:04 UTC
Red Hat Product Errata	RHBA-2021:4417	0	None	None	None	2021-11-09 19:42:20 UTC

Description Michael Catanzaro 2021-06-03 14:15:08 UTC

Description of problem: Since bug #1727236 was fixed, 'usermod -G' now fails if the user is a member of any remote groups. This breaks accountsservice's org.freedesktop.Accounts.User.SetAccountType method.


Version-Release number of selected component (if applicable): shadow-utils-2:4.6-12.el8


How reproducible: Always


Steps to Reproduce:
1. Somehow add user to remote group (either by enrolling with IPA server or with Active Directory)... this is hard, don't ask me how :)
2. Try to change user's account type from standard to administrator or vice-versa in gnome-control-center. Or do it manually via D-Bus.

Actual results:

$ gdbus call --system --dest org.freedesktop.Accounts --object-path /org/freedesktop/Accounts/User1636600000 --method org.freedesktop.Accounts.User.SetAccountType 1
Error: GDBus.Error:org.freedesktop.Accounts.Error.Failed: running '/usr/sbin/usermod' failed: Child process exited with code 6


Expected results: There should be no error!


Additional info: See https://github.com/shadow-maint/shadow/issues/338 for upstream discussion. The problem is the patch added in bug #1727236 doesn't just prevent adding users to remote groups, it also prevents *not removing* users from remote groups, i.e. it prevents us from keeping remote group membership unchanged. In order to add the user to a new local group, we now have to remove all the user's remote group memberships, since that's the only way to prevent usermod from claiming the groups don't exist.

Comment 1 Iker Pedrosa 2021-06-24 07:58:50 UTC

As a solution the patch provided to fix bug #1727236 will be reverted

Comment 7 errata-xmlrpc 2021-11-09 19:42:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (shadow-utils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4417

Note You need to log in before you can comment on or make changes to this bug.