#3636 nested group missing after updates on provider
Closed: Fixed 2 months ago by jhrozek. Opened a year ago by micpas.

Replication of issue on clean installation of IPA server running on CentOS 7.4. The client is CentOS 6 or 7:

sssd-1.13.3-57.el6_9.x86_64
sssd-1.15.2-50.el7_4.8.x86_64

sssd.conf is attached to this issue.


On IPA server:

$ ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any
$ ipa user-add --first=u --last=1 u1
$ ipa passwd u1
$ ipa group-add a
$ ipa group-add b
$ ipa group-add c
$ ipa group-add-member --groups=a b
$ ipa group-add-member --groups=b c
$ ipa group-add-member --users=u1 a
$ ipa user-show u1 | grep group
Member of groups: a, ipausers
Indirect Member of group: c, b

icc6 is a name of host with CentOS 6. Same happens on client with CentOS 7. Starting with clean cache:

$ service sssd stop
$ find /var/lib/sss/ ! -type d -delete
$ service sssd start

$ ssh -q u1@icc6 groups
u1@icc6's password:
ipausers a b c

All is well. On server:

$ ipa group-add-member --users=u1 b

Back to client:

$ ssh -q u1@icc6 groups
u1@icc6's password:
ipausers a b c

All is still well.

On server:

$ ipa group-remove-member --users=u1 b

and back to client:

$ ssh -q u1@icc6 groups
u1@icc6's password:
ipausers a c

Group b is missing but it should be there.


It seems I can not attach files. sssd.conf content:

$ cat sssd.conf
[domain/x.y.z]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = X.Y.Z
ipa_domain = x.y.z
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_hostname = icc6.x.y.z
ipa_server = ipa4server01.x.y.z
ldap_uri = ldap://ipa4server01.x.y.z
krb5_server = ipa4server01.x.y.z
ldap_tls_cacert = /etc/ipa/ca.crt
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=x,dc=y,dc=z
ldap_user_search_base = cn=users,cn=accounts,dc=x,dc=y,dc=z
ldap_group_search_base = cn=groups,cn=accounts,dc=x,dc=y,dc=z
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/icc6.x.y.z
ldap_sasl_realm = X.Y.Z
min_id = 1000
debug_level = 6
lookup_family_order = ipv4_only
krb5_use_kdcinfo = false

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = x.y.z

[nss]
entry_cache_timeout = 600
entry_cache_nowait_timeout = 300
filter_users = root
filter_groups = root

[pam]

[sudo]
debug_level = 6

[ssh]

I do not understand what is the issue here. Why should be user u1 still member of group b when you explicitly remove this membership?

The initial state as I mentioned is:

$ ipa user-show u1 | grep group
Member of groups: a, ipausers
Indirect Member of group: c, b

So u1 is member of all 3 groups. Next two operations on IPA server first add direct membership to b and then remove it so we are back to the initial state. I did not show it but the command above gives same output at the end.

What is odd - group c was not removed. It seems like processing of nested groups is not done at all. Clearing sssd cache is a workaround but sssd should handle it without the need for it.

Ah, I can see it now. Thank you. I will try to reproduce it.

Metadata Update from @jhrozek:
- Issue assigned to pbrezina

a year ago

Ok, I can reproduce it.

Original member of is correct, but the computed memberOf attribute no longer contains group b.

First resolution with indirect groups:

dn: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
createTimestamp: 1521114023
fullName: u 1
gecos: u 1
gidNumber: 1201400004
homeDirectory: /home/u1
loginShell: /bin/sh
name: u1@ipa
objectClass: user
uidNumber: 1201400004
objectSIDString: S-1-5-21-3955793650-2509659430-1926151017-1004
uniqueID: a7ca3e44-2844-11e8-a197-525400b9efec
originalDN: uid=u1,cn=users,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=a,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=b,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=c,cn=groups,cn=accounts,dc=ipa,dc=vm
originalModifyTimestamp: 20180315113729Z
entryUSN: 1922
userPrincipalName: u1@IPA.VM
krbLastPwdChange: 20180315113631Z
krbPasswordExpiration: 20180613113631Z
mail: u1@ipa.vm
nameAlias: u1@ipa
isPosix: TRUE
lastUpdate: 1521114023
dataExpireTimestamp: 1521119423
overrideDN: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
memberof: name=ipausers@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=c@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=b@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=a@ipa,cn=groups,cn=IPA,cn=sysdb
initgrExpireTimestamp: 1521119423
ccacheFile: KCM:
distinguishedName: name=u1@ipa,cn=users,cn=IPA,cn=sysdb

After add/remove direct group:

# record 17
dn: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
createTimestamp: 1521113733
fullName: u 1
gecos: u 1
gidNumber: 1201400004
homeDirectory: /home/u1
loginShell: /bin/sh
name: u1@ipa
objectClass: user
uidNumber: 1201400004
objectSIDString: S-1-5-21-3955793650-2509659430-1926151017-1004
uniqueID: a7ca3e44-2844-11e8-a197-525400b9efec
originalDN: uid=u1,cn=users,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=a,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=b,cn=groups,cn=accounts,dc=ipa,dc=vm
originalMemberOf: cn=c,cn=groups,cn=accounts,dc=ipa,dc=vm
userPrincipalName: u1@IPA.VM
mail: u1@ipa.vm
nameAlias: u1@ipa
isPosix: TRUE
overrideDN: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
initgrExpireTimestamp: 1521119133
ccacheFile: KCM:
lastOnlineAuthWithCurrentToken: 0
originalModifyTimestamp: 20180315113631Z
entryUSN: 1917
krbLastPwdChange: 20180315113631Z
krbPasswordExpiration: 20180613113631Z
lastUpdate: 1521113798
dataExpireTimestamp: 1521119198
memberof: name=ipausers@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=a@ipa,cn=groups,cn=IPA,cn=sysdb
memberof: name=c@ipa,cn=groups,cn=IPA,cn=sysdb
distinguishedName: name=u1@ipa,cn=users,cn=IPA,cn=sysdb

Hi, I have prepared a scratch build for you. Would you mind to test it? Thanks.

https://pbrezina.fedorapeople.org/scratch/memberof/

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 2.2
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata