Red Hat Bugzilla – Bug 678777
IPA provider does not update removed group memberships on initgroups
Last modified: 2015-01-04 18:46:35 EST
Description of problem: When performing an initgroups request on a user, the IPA provider does not remove group memberships from the local cache when they are removed from the IPA server. This only happens for the IPA backend (and not for the standard RFC2307bis schema) Version-Release number of selected component (if applicable): sssd-1.5.1-6.el6 How reproducible: Every time Steps to Reproduce: 1. Create a user in IPA. Add this user to at least one additional group 2. On an IPA client, perform 'id <username>'. Verify that all of the groups are listed. 3. Remove the user from the additional group in step 1. 4. Perform a login for this user (forces a cache update) 5. Perform 'id <username>' on a client once again. Actual results: The user is still listed as a member of the extra group, even though the membership has been revoked. Expected results: The removed group should no longer be in the list. Additional info: https://fedorahosted.org/sssd/ticket/803
Verified following steps listed above. After removing user "four" from group "groupone" [root@rhel61-client ~]# id four uid=1289600007(four) gid=1289600007(four) groups=1289600007(four),1289600001(ipausers),1289600005(groupone) After logging in as user "four" [root@rhel61-client ~]# id four uid=1289600007(four) gid=1289600007(four) groups=1289600007(four),1289600001(ipausers) version used for testing: sssd-1.5.4-0.20110323T0643z.el6.x86_64
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0560.html