#3222 sssd still showing ipa user after removed from last group
Opened 2 years ago by jhrozek. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1364596

Description of problem:

I am seeing sssd still show a user as a member of a group after it was removed
from the group and "sss_cache -UG" is run.

Running the Web_App_Authentication tests, the LookupUserGroup tests are showing
a user still is a member of a group after it is removed.  Even running
sss_cache doesn't change that.  During the tests, I ses the first group
membership change reflected immediately.  When the user is removed from the
last group, though, it is still seen as a member.


Version-Release number of selected component (if applicable):
sssd-1.14.0-14.el7.x86_64
mod_lookup_identity-0.9.5-1.el7.x86_64
sssd-dbus-1.14.0-14.el7.x86_64

How reproducible:
always

Steps to Reproduce:
ON IPA Master host:
1.  ipa-server-install

ON Web server

2.  ipa-client-install

3.  yum -y install httpd mod_ssl mod_authnz_pam mod_lookup_identity sssd-dbus

4.  yum remove mod_nss

5.  Setup minimal web app http config:

[root@rhel7-2 ~]# cat /etc/httpd/conf.d/app1.conf
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule lookup_identity_module modules/mod_lookup_identity.so

<Location /app1>
  AuthType Basic
  AuthName "private area"
  AuthBasicProvider PAM
  AuthPAMService app1
  Require valid-user
  ErrorDocument 401 'FAIL'
  LookupUserAttr mail REMOTE_USER_EMAIL " "
  LookupUserAttr firstname REMOTE_USER_FIRSTNAME
  LookupUserAttr lastname REMOTE_USER_LASTNAME
  LookupUserGroups REMOTE_USER_GROUPS ":"
  LookupUserGroupsIter REMOTE_USER_GROUPS
  LookupUserGroups REMOTE_USER_GROUPS ":"
  LookupUserGroupsIter REMOTE_USER_GROUPS
</Location>

<Directory /var/www/html/app1>
  Options +Includes
  AddType text/html .shtml
  AddOutputFilter INCLUDES .shtml
</Directory>

6.  Setup shtml file with SSI to show vars

[root@rhel7-2 ~]# cat /var/www/html/app1/index.shtml
<html>
<body>
REMOTE_ADDR=<!--#echo var="REMOTE_ADDR"-->
REMOTE_PORT=<!--#echo var="REMOTE_PORT"-->
REMOTE_USER=<!--#echo var="REMOTE_USER"-->
REMOTE_USER_FIRSTNAME=<!--#echo var="REMOTE_USER_FIRSTNAME"-->
REMOTE_USER_LASTNAME=<!--#echo var="REMOTE_USER_LASTNAME"-->
REMOTE_USER_GROUPS=<!--#echo var="REMOTE_USER_GROUPS"-->
REMOTE_USER_GROUPS_1=<!--#echo var="REMOTE_USER_GROUPS_1"-->
REMOTE_USER_GROUPS_N=<!--#echo var="REMOTE_USER_GROUPS_N"-->
</body>
</html>

7.  kinit admin
8.  ipa user-add webuser --first=web --last=user --password
9.  kinit webuser
10.  ipa group-add webgroup1
11.  ipa group-add webgroup2
12.  ipa group-add-member webgroup1 --users=webuser
13.  ipa group-add-member webgroup2 --users=webuser
14.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
15.  ipa group-remove-member webgroup2 --users=webuser
16.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
17.  ipa group-remove-member webgroup1 --users=webuser
18.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
19.  sss_cache -UG
20.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml

Actual results:

Step 18 and 20 both show the user still as a member of webgroup1.

Expected results:

I would expect at least after invalidating all users/groups that it would be
looked up again and no group membership show.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => pcech
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

status: new => assigned

Petr is already working on this ticket.

milestone: NEEDS_TRIAGE => SSSD 1.14.3

Reproducer for bash is (not always working):

# !/bin/bash

# PREPARING
ipa user-add --first=Test --last=User --email=tu1@domain.sssd testuser
ipa group-add testgroup

# REPRODUCER
systemctl daemon-reload
sudo su -c "truncate -s0 /var/log/sssd/*.log"
sudo su -c "rm -f /var/lib/sss/db/*" 
sudo su -c "rm -f /var/lib/sss/mc/*"
systemctl restart sssd

date && getent group testgroup
ipa group-add-member --users=testuser testgroup
sss_cache -UG && getent group testgroup

ipa group-remove-member --users=testuser testgroup
sss_cache -UG && getent group testgroup

# CLEANING
ipa group-del testgroup
ipa user-del testuser

Configuration:

[domain/ipa.beta]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = beta
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mirach.beta
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, algol.beta
dyndns_iface = ens3
ldap_tls_cacert = /etc/ipa/ca.crt

debug_level = 0xFFFF0

[sssd]
services = nss, sudo, pam, ssh
domains = ipa.beta

debug_level = 0xFFFFF0

[nss]
homedir_substring = /home

If testuser isn't removed we can see this in cache db:

dn: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb
createTimestamp: 1477042908
fullName: Test User
gecos: Test User
gidNumber: 1703800527
homeDirectory: /home/testuser
loginShell: /bin/sh
name: testuser@ipa.beta
objectClass: user
uidNumber: 1703800527
uniqueID: 953acf6e-9772-11e6-af3e-5254001a3efa
originalDN: uid=testuser,cn=users,cn=accounts,dc=beta
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=beta
originalModifyTimestamp: 20161021094146Z
entryUSN: 27047
userPrincipalName: testuser@BETA
mail: tu1@domain.sssd
nameAlias: testuser@ipa.beta
lastUpdate: 1477042908
dataExpireTimestamp: 1477048308
overrideDN: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb
memberof: name=ipausers@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
memberof: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
initgrExpireTimestamp: 1477048308
distinguishedName: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb

dn: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
createTimestamp: 1477042908
gidNumber: 1703800527
name: testuser@ipa.beta
objectClass: group
uniqueID: 9540c752-9772-11e6-af3e-5254001a3efa
isPosix: TRUE
originalDN: cn=testuser,cn=groups,cn=accounts,dc=beta
originalModifyTimestamp: 20161021094146Z
entryUSN: 27039
nameAlias: testuser@ipa.beta
lastUpdate: 1477042908
dataExpireTimestamp: 1477048308
overrideDN: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
distinguishedName: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb

dn: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
createTimestamp: 1477042908
gidNumber: 1703800528
name: testgroup@ipa.beta
objectClass: group
uniqueID: 9597bcba-9772-11e6-8594-5254001a3efa
isPosix: TRUE
originalDN: cn=testgroup,cn=groups,cn=accounts,dc=beta
nameAlias: testgroup@ipa.beta
overrideDN: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
originalModifyTimestamp: 20161021094148Z
entryUSN: 27062
orig_member: uid=testuser,cn=users,cn=accounts,dc=beta
lastUpdate: 1477042909
dataExpireTimestamp: 1477048309
member: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb
memberuid: testuser@ipa.beta
distinguishedName: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb

Metadata Update from @jhrozek:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.14.3

2 years ago

Login to comment on this ticket.

Metadata