Learn more about these different git repos.
Other Git URLs
Replication of issue on clean installation of IPA server running on CentOS 7.4. The client is CentOS 6 or 7:
sssd-1.13.3-57.el6_9.x86_64 sssd-1.15.2-50.el7_4.8.x86_64
sssd.conf is attached to this issue.
On IPA server:
$ ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any $ ipa user-add --first=u --last=1 u1 $ ipa passwd u1 $ ipa group-add a $ ipa group-add b $ ipa group-add c $ ipa group-add-member --groups=a b $ ipa group-add-member --groups=b c $ ipa group-add-member --users=u1 a $ ipa user-show u1 | grep group Member of groups: a, ipausers Indirect Member of group: c, b
icc6 is a name of host with CentOS 6. Same happens on client with CentOS 7. Starting with clean cache:
$ service sssd stop $ find /var/lib/sss/ ! -type d -delete $ service sssd start
$ ssh -q u1@icc6 groups u1@icc6's password: ipausers a b c
All is well. On server:
$ ipa group-add-member --users=u1 b
Back to client:
All is still well.
On server:
$ ipa group-remove-member --users=u1 b
and back to client:
$ ssh -q u1@icc6 groups u1@icc6's password: ipausers a c
Group b is missing but it should be there.
It seems I can not attach files. sssd.conf content:
$ cat sssd.conf [domain/x.y.z] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = X.Y.Z ipa_domain = x.y.z id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_hostname = icc6.x.y.z ipa_server = ipa4server01.x.y.z ldap_uri = ldap://ipa4server01.x.y.z krb5_server = ipa4server01.x.y.z ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=x,dc=y,dc=z ldap_user_search_base = cn=users,cn=accounts,dc=x,dc=y,dc=z ldap_group_search_base = cn=groups,cn=accounts,dc=x,dc=y,dc=z ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/icc6.x.y.z ldap_sasl_realm = X.Y.Z min_id = 1000 debug_level = 6 lookup_family_order = ipv4_only krb5_use_kdcinfo = false
[sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = x.y.z
[nss] entry_cache_timeout = 600 entry_cache_nowait_timeout = 300 filter_users = root filter_groups = root
[pam]
[sudo] debug_level = 6
[ssh]
I do not understand what is the issue here. Why should be user u1 still member of group b when you explicitly remove this membership?
The initial state as I mentioned is:
$ ipa user-show u1 | grep group Member of groups: a, ipausers Indirect Member of group: c, b
So u1 is member of all 3 groups. Next two operations on IPA server first add direct membership to b and then remove it so we are back to the initial state. I did not show it but the command above gives same output at the end.
What is odd - group c was not removed. It seems like processing of nested groups is not done at all. Clearing sssd cache is a workaround but sssd should handle it without the need for it.
Ah, I can see it now. Thank you. I will try to reproduce it.
Metadata Update from @jhrozek: - Issue assigned to pbrezina
Ok, I can reproduce it.
Original member of is correct, but the computed memberOf attribute no longer contains group b.
First resolution with indirect groups:
dn: name=u1@ipa,cn=users,cn=IPA,cn=sysdb createTimestamp: 1521114023 fullName: u 1 gecos: u 1 gidNumber: 1201400004 homeDirectory: /home/u1 loginShell: /bin/sh name: u1@ipa objectClass: user uidNumber: 1201400004 objectSIDString: S-1-5-21-3955793650-2509659430-1926151017-1004 uniqueID: a7ca3e44-2844-11e8-a197-525400b9efec originalDN: uid=u1,cn=users,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=a,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=b,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=c,cn=groups,cn=accounts,dc=ipa,dc=vm originalModifyTimestamp: 20180315113729Z entryUSN: 1922 userPrincipalName: u1@IPA.VM krbLastPwdChange: 20180315113631Z krbPasswordExpiration: 20180613113631Z mail: u1@ipa.vm nameAlias: u1@ipa isPosix: TRUE lastUpdate: 1521114023 dataExpireTimestamp: 1521119423 overrideDN: name=u1@ipa,cn=users,cn=IPA,cn=sysdb memberof: name=ipausers@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=c@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=b@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=a@ipa,cn=groups,cn=IPA,cn=sysdb initgrExpireTimestamp: 1521119423 ccacheFile: KCM: distinguishedName: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
After add/remove direct group:
# record 17 dn: name=u1@ipa,cn=users,cn=IPA,cn=sysdb createTimestamp: 1521113733 fullName: u 1 gecos: u 1 gidNumber: 1201400004 homeDirectory: /home/u1 loginShell: /bin/sh name: u1@ipa objectClass: user uidNumber: 1201400004 objectSIDString: S-1-5-21-3955793650-2509659430-1926151017-1004 uniqueID: a7ca3e44-2844-11e8-a197-525400b9efec originalDN: uid=u1,cn=users,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=a,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=b,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=c,cn=groups,cn=accounts,dc=ipa,dc=vm userPrincipalName: u1@IPA.VM mail: u1@ipa.vm nameAlias: u1@ipa isPosix: TRUE overrideDN: name=u1@ipa,cn=users,cn=IPA,cn=sysdb initgrExpireTimestamp: 1521119133 ccacheFile: KCM: lastOnlineAuthWithCurrentToken: 0 originalModifyTimestamp: 20180315113631Z entryUSN: 1917 krbLastPwdChange: 20180315113631Z krbPasswordExpiration: 20180613113631Z lastUpdate: 1521113798 dataExpireTimestamp: 1521119198 memberof: name=ipausers@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=a@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=c@ipa,cn=groups,cn=IPA,cn=sysdb distinguishedName: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
Hi, I have prepared a scratch build for you. Would you mind to test it? Thanks.
https://pbrezina.fedorapeople.org/scratch/memberof/
It works. Thanks.
Metadata Update from @jhrozek: - Issue close_status updated to: Fixed - Issue set to the milestone: SSSD 2.2 - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.