#2406 Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
Closed: Fixed None Opened 7 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1130017

Description of problem:
This bug hits setups where the id_provider is AD or the ldap_schema is set to
AD, at the same time POSIX attributes are used and at the same time the primary
group also includes the user as a 'member' attribute.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. prepare an AD server with POSIX attributes, enroll sssd to it
2. make sure the primary group of a user also has the 'member' attribute
pointing towards the user
3. run id user

Actual results:
saving group membership fails with:
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr]
(0x0080): ldb_modify failed: [Attribute or value exists]
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_set_entry_attr]
(0x0040): Error: 17 (File exists)
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sysdb_store_group]
(0x0400): Error: 17 (File exists)
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem]
(0x0080): sysdb_store_group failed: [17][File exists].
(Wed Aug 13 17:16:35 2014) [sssd[be[MARS.CORP.COM]]] [sdap_save_grpmem]
(0x0040): Failed to save members of group adgrp01

Expected results:
saving group membership succeeds.

Additional info:
It is not typical that the primary group also contains the user as a member. At
the same time, we have code that special-cases the AD provider so that also all
members of primary group are added as groups the user is a member of, because
that's what Windows clients do. This special-case breaks when the AD primary
group *also* contains the user as a member.

I think we should simply use ldb permissive control to save the membership.

As agreed on the Aug-14 meeting, moving to the 1.11.6 milestone

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.11.7
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.7

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3448

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.