Bug 869616 – Issues when adding AD user as member of external group

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 869616 - Issues when adding AD user as member of external group

Summary:	Issues when adding AD user as member of external group

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-10-24 08:29 EDT by Xiyang Dong
Modified:	2015-09-29 03:09 EDT (History)
CC List:	6 users (show)

See Also:	920702
Fixed In Version:	ipa-3.0.0-8.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 04:28:52 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 03:22:21 EST

Groups: None (edit)

Description Xiyang Dong 2012-10-24 08:29:11 EDT

Description of problem:
1> Cannot use name of AD User, but have to use wmic to get SID for this user to add as a member to an external group
    wmic useraccount get name,sid
 
2> when adding duplicate AD user behaviour is different from regular duplicate user
 
# ipa group-add-member --user=ttt aa
  Group name: aa
  Description: aaa
  External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1176,
                   s-1-5-21-2048782538-2375889789-2933420090-1179, s-1-5-21-2048782538-2375889789-2933420090-1155,
                   s-1-5-21-2048782538-2375889789-2933420090-1100
  Member users: ttt
  Member groups: ttt
  Failed members:
    member user: ttt: This entry is already a member
    member group:
-------------------------
Number of members added 0
-------------------------

# ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1175 aa
[member user]:
[member group]:
  Group name: aa
  Description: aaa
  External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1176,
                   s-1-5-21-2048782538-2375889789-2933420090-1179, s-1-5-21-2048782538-2375889789-2933420090-1155,
                   s-1-5-21-2048782538-2375889789-2933420090-1100
  Member users: ttt
  Member groups: ttt
-------------------------
Number of members added 0
-------------------------
 
 
2> Can use invalid SIDs - and message says member was added.(-1100 is invalid)

[root@xdong ~]# ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1100 
Group name: bb
[member user]: 
[member group]: 
  Group name: bb
  Description: bb
  External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1100
-------------------------
Number of members added 1
-------------------------


How reproducible:

always

Steps to Reproduce:

  
Actual results:


Expected results:


Additional info:

Comment 1 Xiyang Dong 2012-10-24 08:32:47 EDT

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-105.20121018T0250zgit1cc4f7e.el6.x86_64

Comment 2 Dmitri Pal 2012-10-24 09:56:44 EDT

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3211

Comment 3 Rob Crittenden 2012-11-01 16:04:19 EDT

Fixed upstream.

master: fc3834ca46fa986694be6a94f0a51d74e9e532a8

ipa-3-0: 4cf3c2d5053bad8e62a80ffa586f8d5c1f7e41cd

Comment 4 Dmitri Pal 2012-11-06 08:39:47 EST

https://fedorahosted.org/freeipa/ticket/3126

Comment 5 Scott Poore 2012-11-08 10:52:59 EST

Created bug #874671 to cover missing error message as separate case/issue here.

Comment 6 Scott Poore 2012-11-08 10:59:10 EST

Created bug #874674 to cover invalid/non-existent SID adds as a separate case/issue here.

Comment 8 Scott Poore 2012-11-13 14:36:16 EST

Verified.

It should be noted that the 1> case is the only one fixed here.  The other two (2>) cases are being handled in the separate bugs listed in comment #5 and comment #6.

Version ::

ipa-server-3.0.0-8.el6.x86_64

Manual Test Results ::

[root@rhel6-1 ~]# ipa group-add --desc='adtestdom.com adtestgroup1' adtestdom_adtestgroup1
------------------------------------
Added group "adtestdom_adtestgroup1"
------------------------------------
  Group name: adtestdom_adtestgroup1
  Description: adtestdom.com adtestgroup1
  GID: 1735800006

[root@rhel6-1 ~]# ipa group-add --desc='adtestdom.com adtestgroup1 external' adtestdom_adtestgroup1_external --external
---------------------------------------------
Added group "adtestdom_adtestgroup1_external"
---------------------------------------------
  Group name: adtestdom_adtestgroup1_external
  Description: adtestdom.com adtestgroup1 external

[root@rhel6-1 ~]# ipa group-add-member adtestdom_adtestgroup1 --groups=adtestdom_adtestgroup1_external
  Group name: adtestdom_adtestgroup1
  Description: adtestdom.com adtestgroup1
  GID: 1735800006
  Member groups: adtestdom_adtestgroup1_external
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 ~]# ipa group-add-member adtestdom_adtestgroup1_external --external "ADTESTDOM\adtestgroup1"
[member user]: 
[member group]: 
  Group name: adtestdom_adtestgroup1_external
  Description: adtestdom.com adtestgroup1 external
  External member: S-1-5-21-1246088475-3077293710-2580964704-1135
  Member of groups: adtestdom_adtestgroup1
-------------------------
Number of members added 1
-------------------------

Comment 11 errata-xmlrpc 2013-02-21 04:28:52 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Comment 12 Xiyang Dong 2013-03-12 10:43:29 EDT

now it's able to add by name but unable to delete by name 

[root@rt aduser1]# rpm -q ipa-server
ipa-server-3.0.0-25.el6.x86_64

[root@rt aduser1]# ipa group-add-member adgroup1 --external "ADLAB\aduser1"
[member user]: 
[member group]: 
  Group name: adgroup1
  Description: adgroup1
  External member: S-1-5-21-3452862912-1583780823-338435951-1139
-------------------------
Number of members added 1
-------------------------
[root@rt aduser1]# ipa group-remove-member adgroup1 --external "ADLAB\aduser1"
[member user]: 
[member group]: 
  Group name: adgroup1
  Description: adgroup1
  External member: S-1-5-21-3452862912-1583780823-338435951-1139
---------------------------
Number of members removed 0
---------------------------
[root@rt aduser1]# ipa group-remove-member adgroup1 --external=S-1-5-21-3452862912-1583780823-338435951-1139
[member user]: 
[member group]: 
  Group name: adgroup1
  Description: adgroup1
  External member: 
---------------------------
Number of members removed 1
---------------------------

Comment 13 Rob Crittenden 2013-03-12 10:50:18 EDT

The suggestion is that it used to work. Is that the case? I don't think it did.

We'd need a new bug to add this functionality.

Note You need to log in before you can comment on or make changes to this bug.