RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 887961 - AD provider: getgrgid removes nested group memberships
Summary: AD provider: getgrgid removes nested group memberships
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.5
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 895654
TreeView+ depends on / blocked
 
Reported: 2012-12-17 17:19 UTC by Jakub Hrozek
Modified: 2020-05-02 17:11 UTC (History)
7 users (show)

Fixed In Version: sssd-1.9.2-68.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:42:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2769 0 None None None 2020-05-02 17:11:24 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Jakub Hrozek 2012-12-17 17:19:05 UTC 
Description of problem:
After a successfull initgroups operation, the subsequent getgrgid removes the nested memberships. As far as we can tell, this only happens with the AD provider. So far, we've been unable to reproduce the issue in-house, but Marko Myllynen (CC) has

Version-Release number of selected component (if applicable):
1.9.3 upstream, 1.9.2 candidate from 6.4

How reproducible:
depends on the environment

Steps to Reproduce:
1. id -G user
2. id user
  
Actual results:
The id -G call returns all the groups correctly and in the cache the memberofs are linked by SIDs which is expected as we don't know the group names yet. But after the user runs full id, which also calls getgrgid on the resolved SIDs, we lose the memberships for some reason

Expected results:
The groups should stay the same

Additional info:
Marko thinks this was working at one point during the 1.9 development. We need to follow up and verify.
Comment 2 Jakub Hrozek 2012-12-18 17:58:22 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1727
Comment 3 Kaushik Banerjee 2012-12-20 14:57:54 UTC 
We have been unable to reproduce the issue in our environment. It was decided to provide a fix to Marko to verify the issue in his setup.
Comment 4 Jakub Hrozek 2013-01-07 19:30:36 UTC 
(In reply to comment #3)
> We have been unable to reproduce the issue in our environment. It was
> decided to provide a fix to Marko to verify the issue in his setup.

It actually turned out to be quite easily reproducable, I was just looking in the wrong direction.

It turns out that because we use the tokenGroups attribute for initgroups in AD, we can get a different set of results via tokenGroups and via LDAP calls when updating the groups later.

One of the differences is that parent groups of the primary group are represented in tokenGroups, but not represented via LDAP calls because there is no direct member/memberof link between the user and his primary group.

In short, to reproduce:
1. Add a parent group to user's primary group (Domain Users by default)
2. id -G username
   - this call would return both Domain Users and its parent groups
3. id username
   - because there is no link between the "Domain Users" group and the user entry, there wouldn't be any link between the user and the parent group either
4. id -G username
   - only Domain Users is returned
Comment 10 Kaushik Banerjee 2013-01-20 15:17:26 UTC 
Verified in version 1.9.2-74

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: adprovider_015 bz887961 getgrgid removes nested group memberships
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

adding new entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

adding new entry "CN=parent_group,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=parent_group,CN=Users,DC=sssdad,DC=com"

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [13:18:21] ::  Sleeping for 5 seconds
Domain Users gid number is 770800513
parent_group gid number is 770820521
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [13:18:34] ::  Sleeping for 5 seconds
770800513 770820521
:: [   PASS   ] :: Running 'id -G puser | grep 770800513 | grep 770820521'
uid=770820520(puser) gid=770800513(domain users) groups=770800513(domain users),770820521(parent_group)
:: [   PASS   ] :: Running 'id puser | grep parent_group | grep domain'
770800513 770820521
:: [   PASS   ] :: Running 'id -G puser | grep 770800513 | grep 770820521'
'2cba848b-5ca3-479b-a3ba-c0afa9463650'
adprovider-015-bz887961-getgrgid-removes-nested-group-memberships result: PASS
Comment 11 errata-xmlrpc 2013-02-21 09:42:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.