Bug 871843 - Nested groups are not retrieved appropriately from cache
Summary: Nested groups are not retrieved appropriately from cache
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 881827
TreeView+ depends on / blocked
 
Reported: 2012-10-31 14:12 UTC by Kaushik Banerjee
Modified: 2020-05-02 17:03 UTC (History)
3 users (show)

Fixed In Version: sssd-1.9.2-25.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Clone Of:
Environment:
Last Closed: 2013-02-21 09:39:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2654 None None None 2020-05-02 17:03:48 UTC
Red Hat Product Errata RHSA-2013:0508 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Kaushik Banerjee 2012-10-31 14:12:46 UTC
Description of problem:
Nested groups not retrieved appropriately from cache

Version-Release number of selected component (if applicable):
sssd-1.9.2-4.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a nested group structure in AD as follows:
tuser1_top_grp1
      |
tuser1_mid_grp1
      |
    tuser1

2. Configure sssd to lookup users and groups via ldap provider:
The domain section that I used:
[domain/ADTEST]
debug_level = 0xFFF0
id_provider = ldap
ldap_schema = ad
ldap_uri = ldap://adserver
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com
ldap_default_authtok = xxxxxx
ldap_search_base = dc=sssdad,dc=com
ldap_force_upper_case_realm = True
ldap_referrals = false

3. 
Issue1:
Lookup tuser1 in the following sequence:
# service sssd stop;rm -f /var/lib/sss/db/* /var/lib/sss/mc/*;service sssd start
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

# getent group tuser1_mid_grp1
tuser1_mid_grp1:*:10004:tuser1

# getent group tuser1_top_grp1
tuser1_top_grp1:*:10003:tuser1

# id tuser1
uid=10004(tuser1) gid=10004(tuser1_mid_grp1) groups=10004(tuser1_mid_grp1)   <== Doesn't show tuser1_top_grp1

Issue2:
# service sssd stop;rm -f /var/lib/sss/db/* /var/lib/sss/mc/*;service sssd start
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

# getent group tuser1_top_grp1
tuser1_top_grp1:*:10003:tuser1

# getent group tuser1_mid_grp1
tuser1_mid_grp1:*:10004:tuser1,tuser1    <== tuser1 is seen twice
  
Actual results:

Expected results:
a. for Issue1:
# id tuser1
uid=10004(tuser1) gid=10004(tuser1_mid_grp1) groups=10004(tuser1_mid_grp1),10003(tuser1_top_grp1)

b. for Issue2:
# getent group tuser1_mid_grp1
tuser1_mid_grp1:*:10004:tuser1

Additional info:

Comment 2 Jakub Hrozek 2012-10-31 17:24:06 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1612

Comment 4 Kaushik Banerjee 2012-11-01 09:32:25 UTC
Issue2 has been logged separately as bug 872110

Comment 6 Kaushik Banerjee 2012-12-13 06:43:36 UTC
Verified in version 1.9.2-37.el6

Output of beaker automation run:
:: [02:08:09] ::  Verify bz871843
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [02:08:14] ::  Sleeping for 5 seconds
group01:*:20001:user01
:: [   PASS   ] :: Running 'getent group group01'
maingroup1:*:40001:user01
:: [   PASS   ] :: Running 'getent group maingroup1'
uid=20001(user01) gid=20001(group01) groups=20001(group01),40001(maingroup1),30001(group001)
:: [   PASS   ] :: Running 'id user01 | grep maingroup1 | grep group01'

Comment 7 errata-xmlrpc 2013-02-21 09:39:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.