#2646 Disapeared groups with ad providers and enabled ignore_group_members
Closed: Fixed None Opened 4 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1212610

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

## Description of problem:

users sometimes are missing groups when using sssd-ad

## Version-Release number of selected component (if applicable):

sssd-ad-1.11.6-30.el6.x86_64

RHEL 6.6 <kernel-2.6.32-504.el6.x86_64>

## How reproducible:

Intermittent per customer

## Steps to Reproduce:
* configure ad provider
* enable option "ignore_group_members = true"
* call id for some user twice
  id user; id user


Customer did not have the "ldap_use_tokengroups" entry originally, assuming
this is on by default or set to "True" since the workaround is to set this
value to "False" for their Active Directory groups to show up.

# service sssd stop
# rm -f /var/log/sssd/*
# rm -f /var/lib/sss/db/*
# vi /etc/sssd/sssd.conf

[domain/company.com]
id_provider = ad
ldap_use_tokengroups = True *** OR remove this line

# service sssd start

## Actual results:

AD groups associated with the id do not show up.

## Expected results:

AD groups should always show up

## Additional info:

This bz was created per:

https://bugzilla.redhat.com/show_bug.cgi?id=1203440#c14

Workaround that was given to customer and seems to have fixed the groups issue

[domain/company.com]
id_provider = ad
ldap_use_tokengroups = False

The missing groups are caused by different processing of groups with enabled and disabled token groups. So the bug is reproducible with enabled options ignore_group_members and (it's enabled by default for ad provider)


Groups are returned for the first time of "id call" because after initial initgroups groups are stored with SID name:

[root@vm-049 sssd]# id -G neilan
180200513 182036014 182036016 182036018 182036022 182036029 182036030 182036031 182036032 182036033 182036034 182036046 182036050 182036051 182036052 182036053 182036054 182036056 182036058 182036060 182036062 182036063 182036069 182036072 182036073 182036081 182036082 182036085 182036086 182036089 182036092 182036093 182036094 182036097 182036103 182036108 182036109 182036112 182036113 182036114 182036115 182036119 182036121 182036123 182036124 182036126 182036130 182036131 182036133


[root@vm-049 sssd]# ldbsearch -H /var/lib/sss/db/cache_ad.example.comcom.ldb "(gidNumber = 182036097)" gidNumber name memberuid
asq: Unable to register control with rootdse!
# record 1
dn: name=S-1-5-21-2997650941-1802118864-3094776726-1836097,cn=groups,cn=ad.example.com,cn=sysdb
gidNumber: 182036097
name: S-1-5-21-2997650941-1802118864-3094776726-1836097
memberuid: neilan

sh# id neilan; id neilan
//snip

[root@vm-049 sssd]# ldbsearch -H /var/lib/sss/db/cache_ad.example.com.ldb "(gidNumber = 182036097)" gidNumber name memberuid
asq: Unable to register control with rootdse!
# record 1
dn: name=Exchange Public Folder Administrators,cn=groups,cn=ad.example.com,cn=sysdb
gidNumber: 182036097
name: Exchange Public Folder Administrators

The memberuid attribute is missing in the second ldb output.

_comment0: Groups are returned for the first time of "id call" because after initial initgroups groups are stored with SID name:

{{{
[root@vm-049 sssd]# id -G neilan
180200513 182036014 182036016 182036018 182036022 182036029 182036030 182036031 182036032 182036033 182036034 182036046 182036050 182036051 182036052 182036053 182036054 182036056 182036058 182036060 182036062 182036063 182036069 182036072 182036073 182036081 182036082 182036085 182036086 182036089 182036092 182036093 182036094 182036097 182036103 182036108 182036109 182036112 182036113 182036114 182036115 182036119 182036121 182036123 182036124 182036126 182036130 182036131 182036133

[root@vm-049 sssd]# ldbsearch -H /var/lib/sss/db/cache_tbad.idm.lab.eng.brq.redhat.com.ldb "(gidNumber = 182036097)" gidNumber name memberuid
asq: Unable to register control with rootdse!

record 1

dn: name=S-1-5-21-2997650941-1802118864-3094776726-1836097,cn=groups,cn=tbad.idm.lab.eng.brq.redhat.com,cn=sysdb
gidNumber: 182036097
name: S-1-5-21-2997650941-1802118864-3094776726-1836097
memberuid: neilan

sh# id neilan; id neilan
//snip

[root@vm-049 sssd]# ldbsearch -H /var/lib/sss/db/cache_tbad.idm.lab.eng.brq.redhat.com.ldb "(gidNumber = 182036097)" gidNumber name memberuid
asq: Unable to register control with rootdse!

record 1

dn: name=Exchange Public Folder Administrators,cn=groups,cn=tbad.idm.lab.eng.brq.redhat.com,cn=sysdb
gidNumber: 182036097
name: Exchange Public Folder Administrators
}}}

The memberuid attribute is missing in the second ldb output. => 1430378076840716
blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0

It is related to error message

[sysdb_store_group] (0x0080): A group with the same GID [182036097] was removed from the cache

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12.5

2 years ago

Login to comment on this ticket.

Metadata