Hide Forgot
Description of problem: Nested groups not retrieved appropriately from cache Version-Release number of selected component (if applicable): sssd-1.9.2-4.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a nested group structure in AD as follows: tuser1_top_grp1 | tuser1_mid_grp1 | tuser1 2. Configure sssd to lookup users and groups via ldap provider: The domain section that I used: [domain/ADTEST] debug_level = 0xFFF0 id_provider = ldap ldap_schema = ad ldap_uri = ldap://adserver ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com ldap_default_authtok = xxxxxx ldap_search_base = dc=sssdad,dc=com ldap_force_upper_case_realm = True ldap_referrals = false 3. Issue1: Lookup tuser1 in the following sequence: # service sssd stop;rm -f /var/lib/sss/db/* /var/lib/sss/mc/*;service sssd start Stopping sssd: [ OK ] Starting sssd: [ OK ] # getent group tuser1_mid_grp1 tuser1_mid_grp1:*:10004:tuser1 # getent group tuser1_top_grp1 tuser1_top_grp1:*:10003:tuser1 # id tuser1 uid=10004(tuser1) gid=10004(tuser1_mid_grp1) groups=10004(tuser1_mid_grp1) <== Doesn't show tuser1_top_grp1 Issue2: # service sssd stop;rm -f /var/lib/sss/db/* /var/lib/sss/mc/*;service sssd start Stopping sssd: [ OK ] Starting sssd: [ OK ] # getent group tuser1_top_grp1 tuser1_top_grp1:*:10003:tuser1 # getent group tuser1_mid_grp1 tuser1_mid_grp1:*:10004:tuser1,tuser1 <== tuser1 is seen twice Actual results: Expected results: a. for Issue1: # id tuser1 uid=10004(tuser1) gid=10004(tuser1_mid_grp1) groups=10004(tuser1_mid_grp1),10003(tuser1_top_grp1) b. for Issue2: # getent group tuser1_mid_grp1 tuser1_mid_grp1:*:10004:tuser1 Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/1612
Issue2 has been logged separately as bug 872110
Verified in version 1.9.2-37.el6 Output of beaker automation run: :: [02:08:09] :: Verify bz871843 Stopping sssd: [ OK ] Starting sssd: [ OK ] [ OK ] :: [02:08:14] :: Sleeping for 5 seconds group01:*:20001:user01 :: [ PASS ] :: Running 'getent group group01' maingroup1:*:40001:user01 :: [ PASS ] :: Running 'getent group maingroup1' uid=20001(user01) gid=20001(group01) groups=20001(group01),40001(maingroup1),30001(group001) :: [ PASS ] :: Running 'id user01 | grep maingroup1 | grep group01'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html