#2560 Users saved throug extop don't have the originalMemberOf attribute
Closed: Fixed None Opened 4 years ago by jhrozek.

The attribute is used during HBAC checks. Normally it should be populated when the PAC responder is in use, but due to bugs like #2559 it might not be..


Fields changed

owner: somebody => sbose
patch: 0 => 1
status: new => assigned

milestone: NEEDS_TRIAGE => SSSD 1.12.4
resolution: => fixed
status: assigned => closed

I am running the updated code (sssd-1.12.2-43.1.el7.x86_64) on my IPA servers with success. A RHEL 7.1 client running sssd-1.12.2-28.el7.x86_64 works correctly, however a RHEL 7.0 client running sssd-1.11.2-68.el7_0.5.x86_64 has the same problem that causes failures when using HBAC.

Is this expected? Are there updated packages for RHEL7.0 and RHEL6?

Replying to [comment:4 jbaird]:

I am running the updated code (sssd-1.12.2-43.1.el7.x86_64) on my IPA servers with success. A RHEL 7.1 client running sssd-1.12.2-28.el7.x86_64 works correctly, however a RHEL 7.0 client running sssd-1.11.2-68.el7_0.5.x86_64 has the same problem that causes failures when using HBAC.

Is this expected? Are there updated packages for RHEL7.0 and RHEL6?

As discussed with Josh on IRC, clients prior to 7.1 only update the group membership of users from IPA trusts on login, via interaction with the PAC responder.

We are planning to bring in the same functionality as present in 7.1 into 6.7 -- just please note a 7.1 IPA server is required for 'id' to show all group memberships without logging in.

Additional fix:

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.4

2 years ago

Login to comment on this ticket.

Metadata