#3636 nested group missing after updates on provider
Closed: Fixed a year ago by jhrozek. Opened 2 years ago by micpas.

Replication of issue on clean installation of IPA server running on CentOS 7.4. The client is CentOS 6 or 7:

sssd-1.13.3-57.el6_9.x86_64
sssd-1.15.2-50.el7_4.8.x86_64

sssd.conf is attached to this issue.


On IPA server:

$ ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
$ ipa user-add --first=u --last=1 u1
$ ipa passwd u1
$ ipa group-add a
$ ipa group-add b
$ ipa group-add c
$ ipa group-add-member --groups=a b
$ ipa group-add-member --groups=b c
$ ipa group-add-member --users=u1 a
$ ipa user-show u1 | grep group
Member of groups: a, ipausers
Indirect Member of group: c, b

icc6 is a name of host with CentOS 6. Same happens on client with CentOS 7. Starting with clean cache:

$ service sssd stop
$ find /var/lib/sss/ ! -type d -delete
$ service sssd start

$ ssh -q u1@icc6 groups
u1@icc6's password:
ipausers a b c

All is well. On server:

$ ipa group-add-member --users=u1 b

Back to client:

$ ssh -q u1@icc6 groups
u1@icc6's password:
ipausers a b c

All is still well.

On server:

$ ipa group-remove-member --users=u1 b

and back to client:

$ ssh -q u1@icc6 groups
u1@icc6's password:
ipausers a c

Group b is missing but it should be there.


It seems I can not attach files. sssd.conf content:

$ cat sssd.conf
[domain/x.y.z]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = X.Y.Z
ipa_domain = x.y.z
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_hostname = icc6.x.y.z
ipa_server = ipa4server01.x.y.z
ldap_uri = ldap://ipa4server01.x.y.z
krb5_server = ipa4server01.x.y.z
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=x,dc=y,dc=z
ldap_user_search_base = cn=users,cn=accounts,dc=x,dc=y,dc=z
ldap_group_search_base = cn=groups,cn=accounts,dc=x,dc=y,dc=z
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/icc6.x.y.z
ldap_sasl_realm = X.Y.Z
min_id = 1000
debug_level = 6
lookup_family_order = ipv4_only
krb5_use_kdcinfo = false

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = x.y.z

[nss]
entry_cache_timeout = 600
entry_cache_nowait_timeout = 300
filter_users = root
filter_groups = root

[pam]

[sudo]
debug_level = 6

[ssh]

I do not understand what is the issue here. Why should be user u1 still member of group b when you explicitly remove this membership?

The initial state as I mentioned is:

$ ipa user-show u1 | grep group
Member of groups: a, ipausers
Indirect Member of group: c, b

So u1 is member of all 3 groups. Next two operations on IPA server first add direct membership to b and then remove it so we are back to the initial state. I did not show it but the command above gives same output at the end.

What is odd - group c was not removed. It seems like processing of nested groups is not done at all. Clearing sssd cache is a workaround but sssd should handle it without the need for it.

Ah, I can see it now. Thank you. I will try to reproduce it.

Metadata Update from @jhrozek:
- Issue assigned to pbrezina

2 years ago

Ok, I can reproduce it.

Original member of is correct, but the computed memberOf attribute no longer contains group b.

First resolution with indirect groups:

dn: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
createTimestamp: 1521114023
fullName: u 1
gecos: u 1
gidNumber: 1201400004
homeDirectory: /home/u1
loginShell: /bin/sh
name: u1@ipa
objectClass: user
uidNumber: 1201400004
objectSIDString: S-1-5-21-3955793650-2509659430-1926151017-1004
uniqueID: a7ca3e44-2844-11e8-a197-525400b9efec
originalDN: uid=u1,cn=users,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=a,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=b,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=c,cn=groups,cn=accounts,dc=ipa,dc=vm
originalModifyTimestamp: 20180315113729Z
entryUSN: 1922
userPrincipalName: u1@IPA.VM
krbLastPwdChange: 20180315113631Z
krbPasswordExpiration: 20180613113631Z
mail: u1@ipa.vm
nameAlias: u1@ipa
isPosix: TRUE
lastUpdate: 1521114023
dataExpireTimestamp: 1521119423
overrideDN: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
memberof: name=ipausers@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=c@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=b@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=a@ipa,cn=groups,cn=IPA,cn=sysdb
initgrExpireTimestamp: 1521119423
ccacheFile: KCM:
distinguishedName: name=u1@ipa,cn=users,cn=IPA,cn=sysdb

After add/remove direct group:

# record 17
dn: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
createTimestamp: 1521113733
fullName: u 1
gecos: u 1
gidNumber: 1201400004
homeDirectory: /home/u1
loginShell: /bin/sh
name: u1@ipa
objectClass: user
uidNumber: 1201400004
objectSIDString: S-1-5-21-3955793650-2509659430-1926151017-1004
uniqueID: a7ca3e44-2844-11e8-a197-525400b9efec
originalDN: uid=u1,cn=users,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=a,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=b,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=c,cn=groups,cn=accounts,dc=ipa,dc=vm
userPrincipalName: u1@IPA.VM
mail: u1@ipa.vm
nameAlias: u1@ipa
isPosix: TRUE
overrideDN: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
initgrExpireTimestamp: 1521119133
ccacheFile: KCM:
lastOnlineAuthWithCurrentToken: 0
originalModifyTimestamp: 20180315113631Z
entryUSN: 1917
krbLastPwdChange: 20180315113631Z
krbPasswordExpiration: 20180613113631Z
lastUpdate: 1521113798
dataExpireTimestamp: 1521119198
memberof: name=ipausers@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=a@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=c@ipa,cn=groups,cn=IPA,cn=sysdb
distinguishedName: name=u1@ipa,cn=users,cn=IPA,cn=sysdb

Hi, I have prepared a scratch build for you. Would you mind to test it? Thanks.

https://pbrezina.fedorapeople.org/scratch/memberof/

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 2.2
- Issue status updated to: Closed (was: Open)

a year ago
  • sssd-1-16
    • 9a7c044 - memberof: keep memberOf attribute for nested member

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4657

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata