#1612 Nested groups are not retrieved appropriately from cache
Closed: Fixed None Opened 7 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=871843 (Red Hat Enterprise Linux 6)

Description of problem:
Nested groups not retrieved appropriately from cache

Version-Release number of selected component (if applicable):
sssd-1.9.2-4.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a nested group structure in AD as follows:
tuser1_top_grp1
      |
tuser1_mid_grp1
      |
    tuser1

2. Configure sssd to lookup users and groups via ldap provider:
The domain section that I used:
[domain/ADTEST]
debug_level = 0xFFF0
id_provider = ldap
ldap_schema = ad
ldap_uri = ldap://adserver
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com
ldap_default_authtok = xxxxxx
ldap_search_base = dc=sssdad,dc=com
ldap_force_upper_case_realm = True
ldap_referrals = false

3.
Issue1:
Lookup tuser1 in the following sequence:
# service sssd stop;rm -f /var/lib/sss/db/* /var/lib/sss/mc/*;service sssd
start
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

# getent group tuser1_mid_grp1
tuser1_mid_grp1:*:10004:tuser1

# getent group tuser1_top_grp1
tuser1_top_grp1:*:10003:tuser1

# id tuser1
uid=10004(tuser1) gid=10004(tuser1_mid_grp1) groups=10004(tuser1_mid_grp1)
<== Doesn't show tuser1_top_grp1

Issue2:
# service sssd stop;rm -f /var/lib/sss/db/* /var/lib/sss/mc/*;service sssd
start
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

# getent group tuser1_top_grp1
tuser1_top_grp1:*:10003:tuser1

# getent group tuser1_mid_grp1
tuser1_mid_grp1:*:10004:tuser1,tuser1    <== tuser1 is seen twice

Actual results:

Expected results:
a. for Issue1:
# id tuser1
uid=10004(tuser1) gid=10004(tuser1_mid_grp1)
groups=10004(tuser1_mid_grp1),10003(tuser1_top_grp1)

b. for Issue2:
# getent group tuser1_mid_grp1
tuser1_mid_grp1:*:10004:tuser1

Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.3
testsupdated: => 0

This is caused by the ghost users being propagated in the nested groups. The memberof plugin then converts all the ghost users into "member:" attributes which is wrong and causes breakage later.

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

Fixed in master:
- 9dd91ef
- b22f24e
and sssd-1-9:
- 9dd91ef
- b22f24e

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2654

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata