2017869 – Over time a user looses group membership to 'Domain Users' group

Bug 2017869 - Over time a user looses group membership to 'Domain Users' group [NEEDINFO]

Summary: Over time a user looses group membership to 'Domain Users' group

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-27 15:23 UTC by Chetan Patil
Modified:	2023-08-14 08:27 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	atikhono: needinfo? (pkulkarn)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-101295	0	None	None	None	2021-11-01 19:35:01 UTC
Red Hat Issue Tracker	SSSD-4129	0	None	None	None	2021-12-06 12:18:50 UTC

Description Chetan Patil 2021-10-27 15:23:24 UTC

Description of problem:

Over time a user might loose it's group membership to the 'Domain Users' group. You're using UIDs and GIDs stored in AD which typically means that the gIDNumber LDAP attribute of the user in AD is not pointing to the 'Domain Users' group but to a different one.


So the user has a primary group in the POSIX sense (gIDNumber) and a primary group in the AD sense (typically 'Domain Users'). Typically SSSD tries to makes the primary AD group ('Domain Users') a secondary group to not loose this group membership. It looks like this initially works, but when later on the 'Domain Users' group is lookup up the user gets removed because (as explained above) the users are not listed as members of the 'Domain Users' group.


 In other cases SSSD stores the primary AD group in a special attribute of the user so that it cannot get lost, but it looks in this case (UID and GID stored in AD) this does not work as expected.





Version-Release number of selected component (if applicable):

sssd-2.4.0-9.el8_4.2.x86_64

Note You need to log in before you can comment on or make changes to this bug.