#3314 sssd ignores entire groups from proxy provider if one member is listed twice
Closed: Fixed 3 years ago Opened 3 years ago by pcech.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1415670

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

If there is duplicity of users in group, sssd doesn't show this group correctly. SSSD is configured with files provider and we need little change in 
/etc/nsswitch.conf too. See below.

Configuration:

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = shadowutils
debug_level = 0xFFFF0

[nss]
filter_groups = root
filter_users = root
debug_level = 0xFFFF0

[pam]
offline_credentials_expiration = 365
debug_level = 0xFFFF0

[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files

auth_provider = proxy
proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True
debug_level = 0xFFFF0


# cat /etc/nsswitch.conf
[...]
passwd:     files sss
shadow:     files sss
group:      sss


Preparation:

useradd test_user
groupadd test_group
usermod -a -G test_group test_user

# And manualy add test_user to /etc/group to test_group again, so it looks like:
# [...]
# test_group:x:1001:test_user,test_user

Reproducer:

systemctl stop sssd
rm -fR /var/lib/sss/db/*.ldb
systemctl start sssd
truncate -s0 /var/log/sssd/*.log
getent group test_group

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => pcech
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

description: Ticket was cloned from Red Hat Bugzilla (product ''Red Hat Enterprise Linux 7''): [https://bugzilla.redhat.com/show_bug.cgi?id=1415670 Bug 1415670]

''Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.''

{{{
If there is duplicity of users in group, sssd doesn't show this group correctly. SSSD is configured with files provider and we need little change in
/etc/nsswitch.conf too. See below.

Configuration:

cat /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = shadowutils
debug_level = 0xFFFF0

[nss]
filter_groups = root
filter_users = root
debug_level = 0xFFFF0

[pam]
offline_credentials_expiration = 365
debug_level = 0xFFFF0

[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files

auth_provider = proxy
proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True
debug_level = 0xFFFF0

cat /etc/nsswitch.conf

[...]
passwd: files sss
shadow: files sss
group: sss

Prepation:

useradd test_user
groupadd test_group
usermod -a -G test_group test_user

Reproducer:

systemctl stop sssd
rm -fR /var/lib/sss/db/.ldb
systemctl start sssd
truncate -s0 /var/log/sssd/
.log
getent group test_group
}}} => Ticket was cloned from Red Hat Bugzilla (product ''Red Hat Enterprise Linux 7''): [https://bugzilla.redhat.com/show_bug.cgi?id=1415670 Bug 1415670]

''Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.''

{{{
If there is duplicity of users in group, sssd doesn't show this group correctly. SSSD is configured with files provider and we need little change in
/etc/nsswitch.conf too. See below.

Configuration:

cat /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = shadowutils
debug_level = 0xFFFF0

[nss]
filter_groups = root
filter_users = root
debug_level = 0xFFFF0

[pam]
offline_credentials_expiration = 365
debug_level = 0xFFFF0

[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files

auth_provider = proxy
proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True
debug_level = 0xFFFF0

cat /etc/nsswitch.conf

[...]
passwd: files sss
shadow: files sss
group: sss

Preparation:

useradd test_user
groupadd test_group
usermod -a -G test_group test_user

And manualy add test_user to /etc/group to test_group again, so it looks like:

[...]

test_group:x:1001:test_user,test_user

Reproducer:

systemctl stop sssd
rm -fR /var/lib/sss/db/.ldb
systemctl start sssd
truncate -s0 /var/log/sssd/
.log
getent group test_group
}}}
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.15.2

Metadata Update from @pcech:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.15.2

3 years ago

Metadata Update from @pcech:
- Issue close_status updated to: None

3 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset
- Custom field mark reset
- Custom field patch reset
- Custom field review reset
- Custom field sensitive reset
- Custom field testsupdated reset
- Issue set to the milestone: SSSD 1.15.3 (was: SSSD 1.15.2)

3 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset
- Custom field mark reset
- Custom field patch reset
- Custom field review reset
- Custom field sensitive reset
- Custom field testsupdated reset
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.2 (was: SSSD 1.15.3)
- Issue status updated to: Closed (was: Open)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4347

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata