Bug 869616 - Issues when adding AD user as member of external group
Issues when adding AD user as member of external group
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-24 08:29 EDT by Xiyang Dong
Modified: 2015-09-29 03:09 EDT (History)
6 users (show)

See Also:
Fixed In Version: ipa-3.0.0-8.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:28:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Xiyang Dong 2012-10-24 08:29:11 EDT
Description of problem:
1> Cannot use name of AD User, but have to use wmic to get SID for this user to add as a member to an external group
    wmic useraccount get name,sid
 
2> when adding duplicate AD user behaviour is different from regular duplicate user
 
# ipa group-add-member --user=ttt aa
  Group name: aa
  Description: aaa
  External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1176,
                   s-1-5-21-2048782538-2375889789-2933420090-1179, s-1-5-21-2048782538-2375889789-2933420090-1155,
                   s-1-5-21-2048782538-2375889789-2933420090-1100
  Member users: ttt
  Member groups: ttt
  Failed members:
    member user: ttt: This entry is already a member
    member group:
-------------------------
Number of members added 0
-------------------------

# ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1175 aa
[member user]:
[member group]:
  Group name: aa
  Description: aaa
  External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1176,
                   s-1-5-21-2048782538-2375889789-2933420090-1179, s-1-5-21-2048782538-2375889789-2933420090-1155,
                   s-1-5-21-2048782538-2375889789-2933420090-1100
  Member users: ttt
  Member groups: ttt
-------------------------
Number of members added 0
-------------------------
 
 
2> Can use invalid SIDs - and message says member was added.(-1100 is invalid)

[root@xdong ~]# ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1100 
Group name: bb
[member user]: 
[member group]: 
  Group name: bb
  Description: bb
  External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1100
-------------------------
Number of members added 1
-------------------------


How reproducible:

always

Steps to Reproduce:

  
Actual results:


Expected results:


Additional info:
Comment 1 Xiyang Dong 2012-10-24 08:32:47 EDT
Version-Release number of selected component (if applicable):
ipa-server-3.0.0-105.20121018T0250zgit1cc4f7e.el6.x86_64
Comment 2 Dmitri Pal 2012-10-24 09:56:44 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3211
Comment 3 Rob Crittenden 2012-11-01 16:04:19 EDT
Fixed upstream.

master: fc3834ca46fa986694be6a94f0a51d74e9e532a8

ipa-3-0: 4cf3c2d5053bad8e62a80ffa586f8d5c1f7e41cd
Comment 4 Dmitri Pal 2012-11-06 08:39:47 EST
https://fedorahosted.org/freeipa/ticket/3126
Comment 5 Scott Poore 2012-11-08 10:52:59 EST
Created bug #874671 to cover missing error message as separate case/issue here.
Comment 6 Scott Poore 2012-11-08 10:59:10 EST
Created bug #874674 to cover invalid/non-existent SID adds as a separate case/issue here.
Comment 8 Scott Poore 2012-11-13 14:36:16 EST
Verified.

It should be noted that the 1> case is the only one fixed here.  The other two (2>) cases are being handled in the separate bugs listed in comment #5 and comment #6.

Version ::

ipa-server-3.0.0-8.el6.x86_64

Manual Test Results ::

[root@rhel6-1 ~]# ipa group-add --desc='adtestdom.com adtestgroup1' adtestdom_adtestgroup1
------------------------------------
Added group "adtestdom_adtestgroup1"
------------------------------------
  Group name: adtestdom_adtestgroup1
  Description: adtestdom.com adtestgroup1
  GID: 1735800006

[root@rhel6-1 ~]# ipa group-add --desc='adtestdom.com adtestgroup1 external' adtestdom_adtestgroup1_external --external
---------------------------------------------
Added group "adtestdom_adtestgroup1_external"
---------------------------------------------
  Group name: adtestdom_adtestgroup1_external
  Description: adtestdom.com adtestgroup1 external

[root@rhel6-1 ~]# ipa group-add-member adtestdom_adtestgroup1 --groups=adtestdom_adtestgroup1_external
  Group name: adtestdom_adtestgroup1
  Description: adtestdom.com adtestgroup1
  GID: 1735800006
  Member groups: adtestdom_adtestgroup1_external
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 ~]# ipa group-add-member adtestdom_adtestgroup1_external --external "ADTESTDOM\adtestgroup1"
[member user]: 
[member group]: 
  Group name: adtestdom_adtestgroup1_external
  Description: adtestdom.com adtestgroup1 external
  External member: S-1-5-21-1246088475-3077293710-2580964704-1135
  Member of groups: adtestdom_adtestgroup1
-------------------------
Number of members added 1
-------------------------
Comment 11 errata-xmlrpc 2013-02-21 04:28:52 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Comment 12 Xiyang Dong 2013-03-12 10:43:29 EDT
now it's able to add by name but unable to delete by name 

[root@rt aduser1]# rpm -q ipa-server
ipa-server-3.0.0-25.el6.x86_64

[root@rt aduser1]# ipa group-add-member adgroup1 --external "ADLAB\aduser1"
[member user]: 
[member group]: 
  Group name: adgroup1
  Description: adgroup1
  External member: S-1-5-21-3452862912-1583780823-338435951-1139
-------------------------
Number of members added 1
-------------------------
[root@rt aduser1]# ipa group-remove-member adgroup1 --external "ADLAB\aduser1"
[member user]: 
[member group]: 
  Group name: adgroup1
  Description: adgroup1
  External member: S-1-5-21-3452862912-1583780823-338435951-1139
---------------------------
Number of members removed 0
---------------------------
[root@rt aduser1]# ipa group-remove-member adgroup1 --external=S-1-5-21-3452862912-1583780823-338435951-1139
[member user]: 
[member group]: 
  Group name: adgroup1
  Description: adgroup1
  External member: 
---------------------------
Number of members removed 1
---------------------------
Comment 13 Rob Crittenden 2013-03-12 10:50:18 EDT
The suggestion is that it used to work. Is that the case? I don't think it did.

We'd need a new bug to add this functionality.

Note You need to log in before you can comment on or make changes to this bug.