RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Created attachment 678136 [details]
LDIF used to upload users and groups to ldap server

Description of problem:
sssd_be crashes looking up members with groups outside the nesting limit

Version-Release number of selected component (if applicable):
1.9.2-68

How reproducible:
Always

Steps to Reproduce:
1. Use the attached ldif to add users and groups to the ldap server.
The structure is as follows:
Top:    Group1(member:nest_user1)
Mid:    Group2(member:nest_user2)
Lowest: Group3(member:nest_user3)

2. Add ldap_group_nesting_level = 1 in sssd.conf

3. # id nest_user3
uid=10297(nest_user3) gid=10002(Group_3) groups=10002(Group_3)

Actual results:
sssd_be crashes after id lookup is run. See attached backtrace.

Expected results:
sssd_be should not crash.

Additional info:
There is no crash with the following set of commands:
# id nest_user1; id nest_user3
uid=10299(nest_user1) gid=10000(Group_1) groups=10000(Group_1)
uid=10297(nest_user3) gid=10002(Group_3) groups=10002(Group_3),10001(Group_2),10000(Group_1)  <= But Group1 and Group2 should not be displayed here.

Created attachment 678137 [details]
Backtrace of sssd_be crash

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1761

Pushed upstream.

Verified with version 1.9.2-74

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Verify BZ-790848 and BZ-894997 -- when nesting limit is reached
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Running 'restart_clearing_cache'
:: [   PASS   ] :: Running 'groups nest_user3'
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP.log' should not contain '\[sysdb_update_members\] (0x0020): Could not add member \[Group_2\] to group \[Group_1\]'
:: [   PASS   ] :: File '/var/log/messages' should not contain 'segfault'
:: [   LOG    ] :: Duration: 20s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: Verify BZ-790848 and BZ-894997 -- when nesting limit is reached

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html