#2632 Overridde with --login fails trusted adusers group membership resolution
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1213940

Description of problem:
Override for trusted AD users with --login causes failure for group membership
resolution prioir login

Version-Release number of selected component (if applicable):
[root@vm-idm-018 ~]# rpm -q sssd ipa-client
sssd-1.12.4-31.el6.x86_64
ipa-client-3.0.0-46.el6.x86_64

How reproducible:
always

Steps to Reproduce:

* On Server no override for aduser1@pune.adtest.qe

[root@sideswipe ~]# ipa idoverrideuser-find 'default trust view'
aduser1@pune.adtest.qe
---------------------------
0 User ID overrides matched
---------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@sideswipe ~]# service sssd stop ; rm -f /var/lib/sss/{db,mc}/* ; service
sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

* On Client group resolve prior to login works

[root@vm-idm-018 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service
sssd start
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[root@vm-idm-018 ~]# id aduser1@pune.adtest.qe
uid=839001130(aduser1@pune.adtest.qe) gid=839001130(aduser1@pune.adtest.qe) gro
ups=839001130(aduser1@pune.adtest.qe),1148402424(adunigroup1@adtest.qe),8390011
72(adgroup2@pune.adtest.qe),839001120(adgroup1@pune.adtest.qe),839000513(domain
users@pune.adtest.qe)


* On Server override added for aduser1@pune.adtest.qe with login name puser1

[root@sideswipe ~]# ipa idoverrideuser-add 'default trust view'
aduser1@pune.adtest.qe --login puser1
-----------------------------------------------
Added User ID override "aduser1@pune.adtest.qe"
-----------------------------------------------
  Anchor to override: aduser1@pune.adtest.qe
  User login: puser1
[root@sideswipe ~]# service sssd stop ; rm -f /var/lib/sss/{db,mc}/* ; service
sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

* On Client group resolve fails prior to login. Group membership are resolved
after user does login

[root@vm-idm-018 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service
sssd start
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@vm-idm-018 ~]# id aduser1@pune.adtest.qe
uid=839001130(puser1@pune.adtest.qe) gid=839001130(puser1@pune.adtest.qe)
groups=839001130(puser1@pune.adtest.qe),839000513(domain users@pune.adtest.qe)

    * Restart sssd  on both server and client

[root@vm-idm-018 ~]# id puser1@pune.adtest.qe
id: puser1@pune.adtest.qe: No such user        # bz1213822

[root@vm-idm-018 ~]# id puser1@pune.adtest.qe
uid=839001130(puser1@pune.adtest.qe) gid=839001130(puser1@pune.adtest.qe)
groups=839001130(puser1@pune.adtest.qe),839000513(domain users@pune.adtest.qe)

    * Login as puser1 and then run id

[root@vm-idm-018 ~]# ssh -l puser1@pune.adtest.qe `hostname` echo 'login
successful'
puser1@pune.adtest.qe@vm-idm-018.ipaviews.test's password:
login successful

[root@vm-idm-018 ~]# id puser1@pune.adtest.qe
uid=839001130(puser1@pune.adtest.qe) gid=839001130(puser1@pune.adtest.qe)
groups=839001130(puser1@pune.adtest.qe),839000513(domain users@pune.adtest.qe),
839001120(adgroup1@pune.adtest.qe),1148402424(adunigroup1@adtest.qe),839001172(
adgroup2@pune.adtest.qe)

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
patch: 0 => 1
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.12.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3673

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata