#3222 sssd still showing ipa user after removed from last group
Closed: cloned-to-github 8 months ago by pbrezina. Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1364596

Description of problem:

I am seeing sssd still show a user as a member of a group after it was removed
from the group and "sss_cache -UG" is run.

Running the Web_App_Authentication tests, the LookupUserGroup tests are showing
a user still is a member of a group after it is removed.  Even running
sss_cache doesn't change that.  During the tests, I ses the first group
membership change reflected immediately.  When the user is removed from the
last group, though, it is still seen as a member.


Version-Release number of selected component (if applicable):
sssd-1.14.0-14.el7.x86_64
mod_lookup_identity-0.9.5-1.el7.x86_64
sssd-dbus-1.14.0-14.el7.x86_64

How reproducible:
always

Steps to Reproduce:
ON IPA Master host:
1.  ipa-server-install

ON Web server

2.  ipa-client-install

3.  yum -y install httpd mod_ssl mod_authnz_pam mod_lookup_identity sssd-dbus

4.  yum remove mod_nss

5.  Setup minimal web app http config:

[root@rhel7-2 ~]# cat /etc/httpd/conf.d/app1.conf
LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule lookup_identity_module modules/mod_lookup_identity.so

<Location /app1>
  AuthType Basic
  AuthName "private area"
  AuthBasicProvider PAM
  AuthPAMService app1
  Require valid-user
  ErrorDocument 401 'FAIL'
  LookupUserAttr mail REMOTE_USER_EMAIL " "
  LookupUserAttr firstname REMOTE_USER_FIRSTNAME
  LookupUserAttr lastname REMOTE_USER_LASTNAME
  LookupUserGroups REMOTE_USER_GROUPS ":"
  LookupUserGroupsIter REMOTE_USER_GROUPS
  LookupUserGroups REMOTE_USER_GROUPS ":"
  LookupUserGroupsIter REMOTE_USER_GROUPS
</Location>

<Directory /var/www/html/app1>
  Options +Includes
  AddType text/html .shtml
  AddOutputFilter INCLUDES .shtml
</Directory>

6.  Setup shtml file with SSI to show vars

[root@rhel7-2 ~]# cat /var/www/html/app1/index.shtml
<html>
<body>
REMOTE_ADDR=<!--#echo var="REMOTE_ADDR"-->
REMOTE_PORT=<!--#echo var="REMOTE_PORT"-->
REMOTE_USER=<!--#echo var="REMOTE_USER"-->
REMOTE_USER_FIRSTNAME=<!--#echo var="REMOTE_USER_FIRSTNAME"-->
REMOTE_USER_LASTNAME=<!--#echo var="REMOTE_USER_LASTNAME"-->
REMOTE_USER_GROUPS=<!--#echo var="REMOTE_USER_GROUPS"-->
REMOTE_USER_GROUPS_1=<!--#echo var="REMOTE_USER_GROUPS_1"-->
REMOTE_USER_GROUPS_N=<!--#echo var="REMOTE_USER_GROUPS_N"-->
</body>
</html>

7.  kinit admin
8.  ipa user-add webuser --first=web --last=user --password
9.  kinit webuser
10.  ipa group-add webgroup1
11.  ipa group-add webgroup2
12.  ipa group-add-member webgroup1 --users=webuser
13.  ipa group-add-member webgroup2 --users=webuser
14.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
15.  ipa group-remove-member webgroup2 --users=webuser
16.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
17.  ipa group-remove-member webgroup1 --users=webuser
18.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml
19.  sss_cache -UG
20.  curl -u webuser:Secret123 https://$(hostname)/app1/index.shtml

Actual results:

Step 18 and 20 both show the user still as a member of webgroup1.

Expected results:

I would expect at least after invalidating all users/groups that it would be
looked up again and no group membership show.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => pcech
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

status: new => assigned

Petr is already working on this ticket.

milestone: NEEDS_TRIAGE => SSSD 1.14.3

Reproducer for bash is (not always working):

# !/bin/bash

# PREPARING
ipa user-add --first=Test --last=User --email=tu1@domain.sssd testuser
ipa group-add testgroup

# REPRODUCER
systemctl daemon-reload
sudo su -c "truncate -s0 /var/log/sssd/*.log"
sudo su -c "rm -f /var/lib/sss/db/*" 
sudo su -c "rm -f /var/lib/sss/mc/*"
systemctl restart sssd

date && getent group testgroup
ipa group-add-member --users=testuser testgroup
sss_cache -UG && getent group testgroup

ipa group-remove-member --users=testuser testgroup
sss_cache -UG && getent group testgroup

# CLEANING
ipa group-del testgroup
ipa user-del testuser

Configuration:

[domain/ipa.beta]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = beta
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mirach.beta
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, algol.beta
dyndns_iface = ens3
ldap_tls_cacert = /etc/ipa/ca.crt

debug_level = 0xFFFF0

[sssd]
services = nss, sudo, pam, ssh
domains = ipa.beta

debug_level = 0xFFFFF0

[nss]
homedir_substring = /home

If testuser isn't removed we can see this in cache db:

dn: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb
createTimestamp: 1477042908
fullName: Test User
gecos: Test User
gidNumber: 1703800527
homeDirectory: /home/testuser
loginShell: /bin/sh
name: testuser@ipa.beta
objectClass: user
uidNumber: 1703800527
uniqueID: 953acf6e-9772-11e6-af3e-5254001a3efa
originalDN: uid=testuser,cn=users,cn=accounts,dc=beta
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=beta
originalModifyTimestamp: 20161021094146Z
entryUSN: 27047
userPrincipalName: testuser@BETA
mail: tu1@domain.sssd
nameAlias: testuser@ipa.beta
lastUpdate: 1477042908
dataExpireTimestamp: 1477048308
overrideDN: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb
memberof: name=ipausers@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
memberof: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
initgrExpireTimestamp: 1477048308
distinguishedName: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb

dn: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
createTimestamp: 1477042908
gidNumber: 1703800527
name: testuser@ipa.beta
objectClass: group
uniqueID: 9540c752-9772-11e6-af3e-5254001a3efa
isPosix: TRUE
originalDN: cn=testuser,cn=groups,cn=accounts,dc=beta
originalModifyTimestamp: 20161021094146Z
entryUSN: 27039
nameAlias: testuser@ipa.beta
lastUpdate: 1477042908
dataExpireTimestamp: 1477048308
overrideDN: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
distinguishedName: name=testuser@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb

dn: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
createTimestamp: 1477042908
gidNumber: 1703800528
name: testgroup@ipa.beta
objectClass: group
uniqueID: 9597bcba-9772-11e6-8594-5254001a3efa
isPosix: TRUE
originalDN: cn=testgroup,cn=groups,cn=accounts,dc=beta
nameAlias: testgroup@ipa.beta
overrideDN: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb
originalModifyTimestamp: 20161021094148Z
entryUSN: 27062
orig_member: uid=testuser,cn=users,cn=accounts,dc=beta
lastUpdate: 1477042909
dataExpireTimestamp: 1477048309
member: name=testuser@ipa.beta,cn=users,cn=ipa.beta,cn=sysdb
memberuid: testuser@ipa.beta
distinguishedName: name=testgroup@ipa.beta,cn=groups,cn=ipa.beta,cn=sysdb

Metadata Update from @jhrozek:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.14.3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4255

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

8 months ago

Login to comment on this ticket.

Metadata