2222810 – Cannot override gid of private user group

Bug 2222810 - Cannot override gid of private user group

Summary: Cannot override gid of private user group

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Halman
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-13 19:18 UTC by Tomasz Kepczynski
Modified:	2023-08-14 08:38 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-162331	0	None	None	None	2023-07-13 19:21:46 UTC
Red Hat Issue Tracker	SSSD-6467	0	None	None	None	2023-07-20 13:17:58 UTC

Description Tomasz Kepczynski 2023-07-13 19:18:42 UTC

Description of problem:
Cannot map overridden primary group id of the user with private user group back to group name.

Version-Release number of selected component (if applicable):
ipa-client-common-4.10.1-7.el9_2.noarch
ipa-selinux-4.10.1-7.el9_2.noarch
ipa-common-4.10.1-7.el9_2.noarch
ipa-client-4.10.1-7.el9_2.x86_64

How reproducible:
Always

Steps to Reproduce:

Create user override for a system which needs it:

vesemir:~> ipa idview-add TEST
--------------------
Added ID View "TEST"
--------------------
  ID View Name: TEST
vesemir:~> ipa idoverrideuser-add TEST tomek --uid=18519 --gidnumber=18519
------------------------------
Added User ID override "tomek"
------------------------------
  Anchor to override: tomek
  UID: 18519
  GID: 18519
vesemir:~> ipa idview-apply TEST --hosts=paulie
----------------------
Applied ID View "TEST"
----------------------
  hosts: paulie
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

Give some time to propagate the change to all replicas.
Clean sssd cache on paulie and restart it.

Now ssh to paulie:

vesemir:~> ssh paulie.XXXXX.org 
Last login: Thu Jul 13 21:01:26 2023 from 2a0X:XXXX:XXXX:3000:94cb:2ef5:6321:e82f
[tomek@paulie ~]$ id
uid=18519(tomek) gid=18519 grupy=18519,20000000 kontekst=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[tomek@paulie ~]$ getent passwd tomek
tomek:*:18519:18519:Tomasz KXXXXXXXXi:/home/tomek:/bin/bash
[tomek@paulie ~]$ getent group tomek
tomek:*:20000003:
[tomek@paulie ~]$ getent passwd 18519
tomek:*:18519:18519:Tomasz KXXXXXXXXi:/home/tomek:/bin/bash
[tomek@paulie ~]$ getent group 18519
[tomek@paulie ~]$ 

As seen above:
- user tomek has primary group id of 18519 - overridden
- but it is NOT resolvable back to group name
- additional note - 20000000 is gid for group admins and it is NOT resolved (this might be a separate bug as it was NOT overridden)

Try to override tomek group:

vesemir:~> ipa idoverridegroup-add TEST tomek --gid=18519
ipa: ERROR: invalid 'IPA object': system IPA objects (e.g. system groups, user private groups) cannot be overridden

Actual results:
Cannot override user's private user group.

Expected results:
User can keep private user group override AND that group CAN be overridden as necessary.

Additional info:
3 replicas in the domain, 2 - on AlmaLinux 9.2, 1 - on AlmaLinux 8.8.
All involved clients - on AlmaLinux 9.2.

Comment 2 Rob Crittenden 2023-07-14 13:11:31 UTC

Re-assigning the product for analysis. SSSD handles the implementation of the overrides.

Note You need to log in before you can comment on or make changes to this bug.