Hide Forgot
Description of problem: After a successfull initgroups operation, the subsequent getgrgid removes the nested memberships. As far as we can tell, this only happens with the AD provider. So far, we've been unable to reproduce the issue in-house, but Marko Myllynen (CC) has Version-Release number of selected component (if applicable): 1.9.3 upstream, 1.9.2 candidate from 6.4 How reproducible: depends on the environment Steps to Reproduce: 1. id -G user 2. id user Actual results: The id -G call returns all the groups correctly and in the cache the memberofs are linked by SIDs which is expected as we don't know the group names yet. But after the user runs full id, which also calls getgrgid on the resolved SIDs, we lose the memberships for some reason Expected results: The groups should stay the same Additional info: Marko thinks this was working at one point during the 1.9 development. We need to follow up and verify.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1727
We have been unable to reproduce the issue in our environment. It was decided to provide a fix to Marko to verify the issue in his setup.
(In reply to comment #3) > We have been unable to reproduce the issue in our environment. It was > decided to provide a fix to Marko to verify the issue in his setup. It actually turned out to be quite easily reproducable, I was just looking in the wrong direction. It turns out that because we use the tokenGroups attribute for initgroups in AD, we can get a different set of results via tokenGroups and via LDAP calls when updating the groups later. One of the differences is that parent groups of the primary group are represented in tokenGroups, but not represented via LDAP calls because there is no direct member/memberof link between the user and his primary group. In short, to reproduce: 1. Add a parent group to user's primary group (Domain Users by default) 2. id -G username - this call would return both Domain Users and its parent groups 3. id username - because there is no link between the "Domain Users" group and the user entry, there wouldn't be any link between the user and the parent group either 4. id -G username - only Domain Users is returned
Verified in version 1.9.2-74 Output from beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: adprovider_015 bz887961 getgrgid removes nested group memberships :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: adding new entry "CN=primary user,CN=Users,DC=sssdad,DC=com" adding new entry "CN=parent_group,CN=Users,DC=sssdad,DC=com" modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com" modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com" modifying entry "CN=parent_group,CN=Users,DC=sssdad,DC=com" Stopping sssd: [ OK ] Starting sssd: [ OK ] [ OK ] :: [13:18:21] :: Sleeping for 5 seconds Domain Users gid number is 770800513 parent_group gid number is 770820521 Stopping sssd: [ OK ] Starting sssd: [ OK ] [ OK ] :: [13:18:34] :: Sleeping for 5 seconds 770800513 770820521 :: [ PASS ] :: Running 'id -G puser | grep 770800513 | grep 770820521' uid=770820520(puser) gid=770800513(domain users) groups=770800513(domain users),770820521(parent_group) :: [ PASS ] :: Running 'id puser | grep parent_group | grep domain' 770800513 770820521 :: [ PASS ] :: Running 'id -G puser | grep 770800513 | grep 770820521' '2cba848b-5ca3-479b-a3ba-c0afa9463650' adprovider-015-bz887961-getgrgid-removes-nested-group-memberships result: PASS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html