+++ This bug was initially created as a clone of Bug #678777 +++ Description of problem: When performing an initgroups request on a user, the IPA provider does not remove group memberships from the local cache when they are removed from the IPA server. This only happens for the IPA backend (and not for the standard RFC2307bis schema) Version-Release number of selected component (if applicable): sssd-1.5.1-8.el5 How reproducible: Every time Steps to Reproduce: 1. Create a user in IPA. Add this user to at least one additional group 2. On an IPA client, perform 'id <username>'. Verify that all of the groups are listed. 3. Remove the user from the additional group in step 1. 4. Perform a login for this user (forces a cache update) 5. Perform 'id <username>' on a client once again. Actual results: The user is still listed as a member of the extra group, even though the membership has been revoked. Expected results: The removed group should no longer be in the list. Additional info: https://fedorahosted.org/sssd/ticket/803
1) Add an ipa user # ipa user-add --first Mickey --last Mouse mmouse ------------------- Added user "mmouse" ------------------- User login: mmouse First name: Mickey Last name: Mouse Full name: Mickey Mouse Display name: Mickey Mouse Initials: MM Home directory: /home/mmouse GECOS field: mmouse Login shell: /bin/sh Kerberos principal: mmouse@TESTRELM UID: 239400006 2) Add an ipa group # ipa group-add --desc disney mice ------------------ Added group "mice" ------------------ Group name: mice Description: disney GID: 239400007 3) Add user to the group # ipa group-add-member --users=mmouse mice Group name: mice Description: disney GID: 239400007 Member users: mmouse ------------------------- Number of members added 1 4) On client id user # id mmouse uid=239400006(mmouse) gid=239400006(mmouse) groups=239400006(mmouse),239400005(mygroup),239400001(ipausers),239400007(mice) context=root:system_r:unconfined_t:SystemLow-SystemHigh 5) Remove the user from the group # ipa group-remove-member --users=mmouse mice Group name: mice Description: disney GID: 239400007 --------------------------- Number of members removed 1 6) Login to client as the user 7) On client id user # id mmouse uid=239400006(mmouse) gid=239400006(mmouse) groups=239400006(mmouse),239400005(mygroup),239400001(ipausers),239400007(mice) context=root:system_r:unconfined_t:SystemLow-SystemHigh SERVER : RHEL 6.1 ipa-server-2.0.0-23.el6.x86_64 CLIENT : RHEL 5.7 sssd-1.5.1-35.el5 ipa-client-2.0-14.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When performing an initgroups() request on a user, the IPA provider did not properly remove group memberships from the local cache when they were removed from the IPA server. With this update, a removed group is no longer present in the local cache.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0975.html