#3115 Parent/s of primary group are not retrieved with tokengroups disabled
Closed: cloned-to-github 24 days ago by pbrezina. Opened 3 years ago by jstephen.

In AD I have 'Domain Users' which is a member of a basic group called 'nestedtestgroup'

When tokengroups is disabled and my primary group is Domain Users, running id does not find 'nestedtestgroup'

[root@rhel6-sssd-ad ~]# id justintime@jstephen.local
uid=489246999(justintime@jstephen.local) gid=489200513(domain users@jstephen.local) groups=489200513(domain users@jstephen.local),489201114(largegroup@jstephen.local)

If I change my primary group to a different group such as 'largegroup', or turn tokengroups on then the group is visible

[root@rhel6-sssd-ad ~]# id justintime@jstephen.local
uid=489246999(justintime@jstephen.local) gid=489201114 groups=489201114(largegroup@jstephen.local),489200513(domain users@jstephen.local),489247023(nestedtestgroup@jstephen.local)

Jakub's input:
With tokengroups we get the list of all SIDs the user is a member of,
including the parent group of the primary group, during the initgroups
operation, so the grouplist is complete. Normally, when we return the
grouplist during the initgroups operation, we return all the groups the
user is an explicit member of plus their primary group.

In contrast, when tokengroups are disabled, we run ldapsearches in the
rough form of:
1) objectclass=group and member=userDN <-- to get direct parents
2) then for each direct parent, until we either stop receiving groups
or hit the nesting limit
for groupdn dn this_nesting_level_groups:
objectclass=group and member=groupdn
but we only loop through the non-primary groups in the generic
LDAP code, because normally in LDAP, admins don't add parent
groups of the primary group.

I think what happens when tokengroups are disabled is that we don't
receive the parent group of the primary group from LDAP in some explicit
list like we do with tokengroups and we neither explicitly search for
it -- which I think is the missing piece.


Which version of sssd do you use?

cc: => lslebodn

I managed to reproduce this bug with sssd master as well. In fact, I asked Justin to file this ticket in the first place..but it's not a pressing issue because in the related downstream case, we were able to make tokengroups work.

By the way, see this comment in the code:

924     /* With AD we also want to merge in parent groups of primary GID as they
925      * are reported with tokenGroups, too
926      */
927     if (opts->schema_type == SDAP_SCHEMA_AD) {
928         ret = sdap_dn_by_primary_gid(memctx, attrs, group_dom, opts,
929                                      &userdns, &nuserdns);
930         if (ret != EOK) {
931             DEBUG(SSSDBG_MINOR_FAILURE,
932                   "sdap_dn_by_primary_gid failed: [%d][%s].\n",
933                   ret, strerror(ret));
934             goto fail;
935         }
936     }

So if you add an AD group and add Domain users as a member of this group, tokengroup reports this parent group, but w/o tokengroups, we never reach this group at all.

Fields changed

milestone: NEEDS_TRIAGE => SSSD Deferred

Fields changed

rhbz: => todo

Metadata Update from @jstephen:
- Issue set to the milestone: SSSD Patches welcome

3 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1478077 (was: todo)

2 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1478077 (was: todo)

2 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None
- Issue set to the milestone: None (was: SSSD Patches welcome)

2 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue set to the milestone: SSSD Future releases (no date set yet)

2 years ago

Metadata Update from @thalman:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue tagged with: bugzilla

2 months ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4148

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

24 days ago

Login to comment on this ticket.

Metadata