Bug 887961 - AD provider: getgrgid removes nested group memberships
Summary: AD provider: getgrgid removes nested group memberships
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.5
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 895654
TreeView+ depends on / blocked
 
Reported: 2012-12-17 17:19 UTC by Jakub Hrozek
Modified: 2020-05-02 17:11 UTC (History)
7 users (show)

Fixed In Version: sssd-1.9.2-68.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:42:40 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2769 None None None 2020-05-02 17:11:24 UTC
Red Hat Product Errata RHSA-2013:0508 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Jakub Hrozek 2012-12-17 17:19:05 UTC
Description of problem:
After a successfull initgroups operation, the subsequent getgrgid removes the nested memberships. As far as we can tell, this only happens with the AD provider. So far, we've been unable to reproduce the issue in-house, but Marko Myllynen (CC) has

Version-Release number of selected component (if applicable):
1.9.3 upstream, 1.9.2 candidate from 6.4

How reproducible:
depends on the environment

Steps to Reproduce:
1. id -G user
2. id user
  
Actual results:
The id -G call returns all the groups correctly and in the cache the memberofs are linked by SIDs which is expected as we don't know the group names yet. But after the user runs full id, which also calls getgrgid on the resolved SIDs, we lose the memberships for some reason

Expected results:
The groups should stay the same

Additional info:
Marko thinks this was working at one point during the 1.9 development. We need to follow up and verify.

Comment 2 Jakub Hrozek 2012-12-18 17:58:22 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1727

Comment 3 Kaushik Banerjee 2012-12-20 14:57:54 UTC
We have been unable to reproduce the issue in our environment. It was decided to provide a fix to Marko to verify the issue in his setup.

Comment 4 Jakub Hrozek 2013-01-07 19:30:36 UTC
(In reply to comment #3)
> We have been unable to reproduce the issue in our environment. It was
> decided to provide a fix to Marko to verify the issue in his setup.

It actually turned out to be quite easily reproducable, I was just looking in the wrong direction.

It turns out that because we use the tokenGroups attribute for initgroups in AD, we can get a different set of results via tokenGroups and via LDAP calls when updating the groups later.

One of the differences is that parent groups of the primary group are represented in tokenGroups, but not represented via LDAP calls because there is no direct member/memberof link between the user and his primary group.

In short, to reproduce:
1. Add a parent group to user's primary group (Domain Users by default)
2. id -G username
   - this call would return both Domain Users and its parent groups
3. id username
   - because there is no link between the "Domain Users" group and the user entry, there wouldn't be any link between the user and the parent group either
4. id -G username
   - only Domain Users is returned

Comment 10 Kaushik Banerjee 2013-01-20 15:17:26 UTC
Verified in version 1.9.2-74

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: adprovider_015 bz887961 getgrgid removes nested group memberships
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

adding new entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

adding new entry "CN=parent_group,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=primary user,CN=Users,DC=sssdad,DC=com"

modifying entry "CN=parent_group,CN=Users,DC=sssdad,DC=com"

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [13:18:21] ::  Sleeping for 5 seconds
Domain Users gid number is 770800513
parent_group gid number is 770820521
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [13:18:34] ::  Sleeping for 5 seconds
770800513 770820521
:: [   PASS   ] :: Running 'id -G puser | grep 770800513 | grep 770820521'
uid=770820520(puser) gid=770800513(domain users) groups=770800513(domain users),770820521(parent_group)
:: [   PASS   ] :: Running 'id puser | grep parent_group | grep domain'
770800513 770820521
:: [   PASS   ] :: Running 'id -G puser | grep 770800513 | grep 770820521'
'2cba848b-5ca3-479b-a3ba-c0afa9463650'
adprovider-015-bz887961-getgrgid-removes-nested-group-memberships result: PASS

Comment 11 errata-xmlrpc 2013-02-21 09:42:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.