1967641 – Regression: 'usermod -G' fails if user has any remote groups

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1967641 - Regression: 'usermod -G' fails if user has any remote groups

Summary: Regression: 'usermod -G' fails if user has any remote groups

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	shadow-utils
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	Iker Pedrosa
QA Contact:	Anuj Borah
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:	1975327 1975329
TreeView+	depends on / blocked

Reported:	2021-06-03 14:15 UTC by Michael Catanzaro
Modified:	2021-11-10 08:24 UTC (History)
CC List:	4 users (show)
Fixed In Version:	shadow-utils-4.6-14.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1975327 1975329 (view as bug list)
Environment:
Last Closed:	2021-11-09 19:42:14 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	shadow-maint shadow issues 338	0	None	open	Regression: 'usermod -G' fails if user has any remote groups	2021-06-03 14:16:04 UTC
Red Hat Product Errata	RHBA-2021:4417	0	None	None	None	2021-11-09 19:42:20 UTC

Description Michael Catanzaro 2021-06-03 14:15:08 UTC

Description of problem: Since bug #1727236 was fixed, 'usermod -G' now fails if the user is a member of any remote groups. This breaks accountsservice's org.freedesktop.Accounts.User.SetAccountType method.


Version-Release number of selected component (if applicable): shadow-utils-2:4.6-12.el8


How reproducible: Always


Steps to Reproduce:
1. Somehow add user to remote group (either by enrolling with IPA server or with Active Directory)... this is hard, don't ask me how :)
2. Try to change user's account type from standard to administrator or vice-versa in gnome-control-center. Or do it manually via D-Bus.

Actual results:

$ gdbus call --system --dest org.freedesktop.Accounts --object-path /org/freedesktop/Accounts/User1636600000 --method org.freedesktop.Accounts.User.SetAccountType 1
Error: GDBus.Error:org.freedesktop.Accounts.Error.Failed: running '/usr/sbin/usermod' failed: Child process exited with code 6


Expected results: There should be no error!


Additional info: See https://github.com/shadow-maint/shadow/issues/338 for upstream discussion. The problem is the patch added in bug #1727236 doesn't just prevent adding users to remote groups, it also prevents *not removing* users from remote groups, i.e. it prevents us from keeping remote group membership unchanged. In order to add the user to a new local group, we now have to remove all the user's remote group memberships, since that's the only way to prevent usermod from claiming the groups don't exist.

Comment 1 Iker Pedrosa 2021-06-24 07:58:50 UTC

As a solution the patch provided to fix bug #1727236 will be reverted

Comment 7 errata-xmlrpc 2021-11-09 19:42:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (shadow-utils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4417

Note You need to log in before you can comment on or make changes to this bug.