2133854 – [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete

Bug 2133854 - [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete

Summary: [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ign...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Alexey Tikhonov
QA Contact:	shridhar
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-10-11 15:23 UTC by Alexey Tikhonov
Modified:	2023-08-16 10:15 UTC (History)
CC List:	17 users (show)
Fixed In Version:	sssd-2.9.1-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenSSH Project	3602	None	None	None	2023-08-16 10:15:27 UTC
Red Hat Issue Tracker	RHELPLAN-136143	None	None	None	2022-10-11 15:33:11 UTC
Red Hat Issue Tracker	SSSD-6196	None	None	None	2023-06-08 10:42:32 UTC

Description Alexey Tikhonov 2022-10-11 15:23:51 UTC

Example workflow:
 - SSSD client is enrolled into AD domain (Token-Groups are enabled)
 - `id $user` is executed
 - initgroups() is called for this user
 - during processing of initgroups() sssd_be obtains a list of group SIDs user is a member of, and then partially resolves those groups and adds it to the local cache as "incomplete"
 - as a next step `id` calls getgrnam() for every group in initgroups() list
 - since groups are saved into the cache as "incomplete" (technically - "expired") this again results in LDAP search of this group. But if `ignore_group_members = true` this search doesn't provide any new information. "Incomplete" groups could be used instead.

This is just an example workflow. There are probably other use cases.

Comment 42 Alexey Tikhonov 2023-06-14 19:09:10 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/6775

Comment 43 Alexey Tikhonov 2023-06-21 13:25:57 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/6775

* `master`
    * 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b - SYSDB: in case (ignore_group_members == true) group is actually complete
* `sssd-2-9`
    * d3c3408e0ef1df13c8c4d7fb6dc394fdb9a0886c - SYSDB: in case (ignore_group_members == true) group is actually complete

Note You need to log in before you can comment on or make changes to this bug.