Bug 866021 - SSSD loses groups from the cache when local user is accessed
SSSD loses groups from the cache when local user is accessed
Status: CLOSED DUPLICATE of bug 732474
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.3
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-13 06:27 EDT by bugzilla.redhat
Modified: 2012-10-16 13:01 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-16 13:01:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description bugzilla.redhat 2012-10-13 06:27:07 EDT
Description of problem:
The group associations are lost when group information for a local user occurs.


Version-Release number of selected component (if applicable):
sssd-1.8.0-32.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Add a local user (eg. install apache)
2. Add apache in the memberUid of an LDAP group
3. Query the ldap group info (getent ldap_group)
4. Query user/group info an LDAP user (id -a ldap_user)
3. Query the ldap group info (getent ldap_group)
4. Query user/group info apache (id -a apache)
5. Query the ldap group info (getent ldap_group)
  
Actual results:
# sss_cache -G -U ; getent group ldap_group && id -a ldap_user && getent group ldap_group && id -a apache && getent group ldap_group

ldap_group:*:501:apache
uid=501(ldap_user) gid=501(ldap_group) groups=501(ldap_group)
ldap_group:*:501:apache
uid=48(apache) gid=48(apache) groups=48(apache)
ldap_group:*:501:


Expected results:
# sss_cache -G -U ; getent group ldap_group && id -a ldap_user && getent group ldap_group && id -a apache && getent group ldap_group

ldap_group:*:501:apache
uid=501(ldap_user) gid=501(ldap_group) groups=501(ldap_group)
ldap_group:*:501:apache
uid=48(apache) gid=48(apache) groups=48(apache),501(ldap_group)
ldap_group:*:501:apache


Additional info:
Similar to https://bugzilla.redhat.com/show_bug.cgi?id=649312 but that regression test will not catch the actual problem
Comment 2 Jakub Hrozek 2012-10-16 12:54:00 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1020
Comment 3 Jakub Hrozek 2012-10-16 13:00:00 EDT
The SSSD is designed so that it only looks for group members in the same domain as the original group, also because the SSSD supports multiple domains and in a multi-domain environment, just saying "member: foo" would be ambiguous. 

If the member is not present in the same domain, then, as far as the SSSD is concerned, it is same as if the member did not exist at all.

Improving this kind of setup is planned for the 1.11 release at the moment. In the meantime, I would recommend adding the apache user to LDAP as well.
Comment 4 Jakub Hrozek 2012-10-16 13:01:52 EDT

*** This bug has been marked as a duplicate of bug 732474 ***

Note You need to log in before you can comment on or make changes to this bug.