Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 692404

Summary: rfc2307bis groups are being enumerated even when the gidNumber is out of the range of min_id,max_id.
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, dpal, grajaiya, jgalipea, jhrozek, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.5.1-35.el6 Doc Type: Bug Fix
Doc Text:
Cause: When saving group memberships, SSSD uses a two-pass approach - save all the groups first and then save their members. When a group GID is outside a specifed range, the group should be skipped completely. SSSD correctly skipped the groups out of range during the save groups step, but then created the group anyway as a side-effect of the save members step. Consequence: SSSD did not filter groups whose GID was outside a specified range Fix: The group save operation was changed so that only members of groups that were processed successfully are saved. Result: SSSD correctly filters groups based on the min_id/max_id limits.
 Story Points: ---
Clone Of:
: 692455 (view as bug list) Environment:
Last Closed: 2011-12-06 16:38:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 692455    

Description Kaushik Banerjee 2011-03-31 09:14:27 UTC 
Description of problem:
Able to enumerate groups even when the gid is out of the range of min_id,max_id.

Version-Release number of selected component (if applicable):
sssd-1.5.1-21.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure sssd to enumerate against AD. See additional info for relevant sssd.conf

2. Add a user02 and group02 in Active Directory. The ldapsearch returns:

#  ldapsearch -H ldaps://pluto.lab.eng.pnq.redhat.com -D cn=Administrator,cn=Users,dc=sssdad,dc=com -b "CN=group02,CN=Users,DC=sssdad,DC=com" -W 
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <CN=group02,CN=Users,DC=sssdad,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# group02, Users, sssdad.com
dn: CN=group02,CN=Users,DC=sssdad,DC=com
objectClass: top
objectClass: group
cn: group02
member: CN=user02,CN=Users,DC=sssdad,DC=com
distinguishedName: CN=group02,CN=Users,DC=sssdad,DC=com
instanceType: 4
whenCreated: 20110330235022.0Z
whenChanged: 20110330235022.0Z
uSNCreated: 17860
uSNChanged: 17872
name: group02
objectGUID:: l1UdlT+WBUGBeog7fmrAlQ==
objectSid:: AQUAAAAAAAUVAAAAG7QhYKWWbzz2dDlknwQAAA==
sAMAccountName: group02
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=sssdad,DC=com
dSCorePropagationData: 16010101000000.0Z
msSFU30Name: group02
msSFU30NisDomain: sssdad
gidNumber: 20002

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

============================================================================
#  ldapsearch -H ldaps://pluto.lab.eng.pnq.redhat.com -D cn=Administrator,cn=Users,dc=sssdad,dc=com -b "CN=user02,CN=Users,DC=sssdad,DC=com" -W 
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <CN=user02,CN=Users,DC=sssdad,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user02, Users, sssdad.com
dn: CN=user02,CN=Users,DC=sssdad,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user02
sn: user02
givenName: user02
distinguishedName: CN=user02,CN=Users,DC=sssdad,DC=com
instanceType: 4
whenCreated: 20110330235022.0Z
whenChanged: 20110330235022.0Z
displayName: user02
uSNCreated: 17863
memberOf: CN=group02,CN=Users,DC=sssdad,DC=com
uSNChanged: 17870
name: user02
objectGUID:: OGG3GT8MX0aVCW3hcddiJA==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129460026226093750
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG7QhYKWWbzz2dDlkoAQAAA==
accountExpires: 0
logonCount: 0
sAMAccountName: user02
sAMAccountType: 805306368
userPrincipalName: user02
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=sssdad,DC=com
dSCorePropagationData: 16010101000000.0Z
msSFU30Name: user02
msSFU30NisDomain: sssdad
uidNumber: 20002
gidNumber: 20002
unixHomeDirectory: /home/user02
loginShell: /bin/bash

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


3. Enumerate user02 "getent -s sss passwd user02"(Returns nothing and appropriate message is seen in the logs).
4. Enumerate group02 "getent -s sss group group02".
  
Actual results:
Able to enumerate groups even when the gid is out of the range of min_id=90000.

# getent -s sss group group02
group02:*:90001:

/var/log/sssd/sssd.log
<snip>
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [sdap_save_user] (2): User [user02] filtered out! (id out of range)
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [sdap_save_user] (2): Failed to save user [user02]
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [sdap_save_users] (2): Failed to store user 0. Ignoring.
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [ldb] (9): commit ldb transaction (nesting: 0)
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [ldb] (9): start ldb transaction (nesting: 0)
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [sdap_save_group] (2): Group [group02] filtered out! (id out of range)
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [sdap_save_group] (2): Failed to save group [group02]
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [sdap_save_groups] (2): Failed to store group 0. Ignoring.
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [sdap_save_grpmem] (7): Adding member users to group [group02]
(Thu Mar 31 12:27:46 2011) [sssd[be[AD]]] [sdap_fill_memberships] (9): [IPA or AD Schema]

</snip>

Expected results:
"getent -s sss group group02" should return nothing since it's gid 20002 is less than the min_id set.

Additional info:

1. This works well against 389ds (rfc2307 schema).

2. # cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = AD

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 9

[pam]
reconnection_retries = 3

[domain/AD]
description = LDAP domain with AD server
debug_level = 9
enumerate = false
cache_credentials = False
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://pluto.sssdad.com
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = redhat_123
ldap_search_base = dc=sssdad,dc=com
ldap_user_object_class = person
ldap_user_name = cn
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = cn
ldap_force_upper_case_realm = True
min_id = 90000
Comment 2 Jakub Hrozek 2011-03-31 09:24:22 UTC 
Upstream ticket - https://fedorahosted.org/sssd/ticket/834
Comment 6 Kaushik Banerjee 2011-09-28 13:50:29 UTC 
Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 52.el6                        Build Date: Tue 20 Sep 2011 09:11:03 PM IST
Install Date: Mon 26 Sep 2011 05:56:30 PM IST      Build Host: x86-010.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-52.el6.src.rpm
Size        : 3550647                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 7 Jakub Hrozek 2011-10-26 16:15:09 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When saving group memberships, SSSD uses a two-pass approach - save all the groups first and then save their members. When a group GID is outside a specifed range, the group should be skipped completely. SSSD correctly skipped the groups out of range during the save groups step, but then created the group anyway as a side-effect of the save  members step.
Consequence: SSSD did not filter groups whose GID was outside a specified range
Fix: The group save operation was changed so that only members of groups that were processed successfully are saved.
Result: SSSD correctly filters groups based on the min_id/max_id limits.
Comment 8 errata-xmlrpc 2011-12-06 16:38:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html