683885 – SSSD should skip over groups with multiple names

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 683885 - SSSD should skip over groups with multiple names

Summary: SSSD should skip over groups with multiple names

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	690096
TreeView+	depends on / blocked

Reported:	2011-03-10 15:10 UTC by Stephen Gallagher
Modified:	2015-01-04 23:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-1.5.1-16.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	690096 (view as bug list)
Environment:
Last Closed:	2011-05-19 11:41:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0560	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2011-05-19 11:38:17 UTC

Description Stephen Gallagher 2011-03-10 15:10:04 UTC

Description of problem:
The LDAP RFC2307 schema, while not explicitly allowing it, does not forbid the use of a multi-valued attribute for the name of a group.

For example, if the group-name attribute is 'cn', it is permissible (though strongly advised against) to have two 'cn' values: 'groupname' and 'groupalias'.

Right now, SSSD throws an error and aborts an initgroups call if it hits a group like this. We need to ensure that it logs a warning and skips the group. A future enhancement planned upstream will eventually add better support for these aliases.

Version-Release number of selected component (if applicable):
sssd-1.5.1-14.el6

How reproducible:
Every time

Steps to Reproduce:
1. Create a group in LDAP with two 'cn' values (e.g. 'groupname' and 'groupalias')
2. Add a user as a member of this group
3. Perform an initgroups call (e.g. 'id -G username')
  
Actual results:
The initgroups call returns only the user's primary GID

Expected results:
The initgroups call should return all groups that have only a single name.

Additional info:

Comment 2 Stephen Gallagher 2011-04-07 19:38:43 UTC

Many apologies. This bug did not get updated as we went through several revisions of how to resolve this issue. SSSD should now behave as follows:

If we request a user or group that has alternate names, we will return the primary name (not necessarily the requested name) if it is possible to identify.

This means that if one of the multiple names matches the RDN of the entry, that is the value that we will return.

This will mean that 'getent group groupwithaliases' and 'getent group groupwithaliasesALIAS' will both return group information of the form:

groupwithalias:::member1,member2

It will never return groupwithaliasesALIAS.

Comment 3 Stephen Gallagher 2011-04-08 19:19:54 UTC

Sorry, I need to amend my previous statement.

I was incorrect that we would return the primary group when requesting the secondary group. That did not make it into the final version of the patch.

So the behavior as it is currently implemented will only return results for a lookup on the primary name.

Comment 4 Gowrishankar Rajaiyan 2011-04-08 19:36:49 UTC

setup:
# user001, People, example.com
dn: uid=user001,ou=People,dc=example,dc=com
uidNumber: 29292
gidNumber: 29292
objectClass: top
objectClass: posixAccount
objectClass: inetuser
cn: user001
homeDirectory: /home/user001
loginShell: /bin/bash
uid: user001

# group001, Groups, example.com
dn: cn=group001,ou=Groups,dc=example,dc=com
gidNumber: 29292
objectClass: top
objectClass: posixGroup
cn: group001alias
cn: group001
memberUid: user001

# group002, Groups, example.com
dn: cn=group002,ou=Groups,dc=example,dc=com
gidNumber: 29293
objectClass: top
objectClass: posixGroup
cn: group002alias
cn: group002
memberUid: user001

Client:
# id -G -n user001
group001 group002 group003 group 004

# getent group group002
group002:*:29293:user001

# getent group group002alias
#

No results returned while requesting for groupaliasALIAS as expected.


# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 24.el6                        Build Date: Sat 02 Apr 2011 01:24:54 AM IST
Install Date: Tue 05 Apr 2011 11:11:29 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-24.el6.src.rpm
Size        : 3462740                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 5 errata-xmlrpc 2011-05-19 11:41:19 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Comment 6 errata-xmlrpc 2011-05-19 13:10:02 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Note You need to log in before you can comment on or make changes to this bug.