Learn more about these different git repos.
Other Git URLs
Replication of issue on clean installation of IPA server running on CentOS 7.4. The client is CentOS 6 or 7:
sssd-1.13.3-57.el6_9.x86_64 sssd-1.15.2-50.el7_4.8.x86_64
sssd.conf is attached to this issue.
On IPA server:
$ ipa hbacrule-add --usercat=all --hostcat=all --servicecat=all any_to_any $ ipa user-add --first=u --last=1 u1 $ ipa passwd u1 $ ipa group-add a $ ipa group-add b $ ipa group-add c $ ipa group-add-member --groups=a b $ ipa group-add-member --groups=b c $ ipa group-add-member --users=u1 a $ ipa user-show u1 | grep group Member of groups: a, ipausers Indirect Member of group: c, b
icc6 is a name of host with CentOS 6. Same happens on client with CentOS 7. Starting with clean cache:
$ service sssd stop $ find /var/lib/sss/ ! -type d -delete $ service sssd start
$ ssh -q u1@icc6 groups u1@icc6's password: ipausers a b c
All is well. On server:
$ ipa group-add-member --users=u1 b
Back to client:
All is still well.
On server:
$ ipa group-remove-member --users=u1 b
and back to client:
$ ssh -q u1@icc6 groups u1@icc6's password: ipausers a c
Group b is missing but it should be there.
It seems I can not attach files. sssd.conf content:
$ cat sssd.conf [domain/x.y.z] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = X.Y.Z ipa_domain = x.y.z id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_hostname = icc6.x.y.z ipa_server = ipa4server01.x.y.z ldap_uri = ldap://ipa4server01.x.y.z krb5_server = ipa4server01.x.y.z ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=x,dc=y,dc=z ldap_user_search_base = cn=users,cn=accounts,dc=x,dc=y,dc=z ldap_group_search_base = cn=groups,cn=accounts,dc=x,dc=y,dc=z ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/icc6.x.y.z ldap_sasl_realm = X.Y.Z min_id = 1000 debug_level = 6 lookup_family_order = ipv4_only krb5_use_kdcinfo = false
[sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = x.y.z
[nss] entry_cache_timeout = 600 entry_cache_nowait_timeout = 300 filter_users = root filter_groups = root
[pam]
[sudo] debug_level = 6
[ssh]
I do not understand what is the issue here. Why should be user u1 still member of group b when you explicitly remove this membership?
The initial state as I mentioned is:
$ ipa user-show u1 | grep group Member of groups: a, ipausers Indirect Member of group: c, b
So u1 is member of all 3 groups. Next two operations on IPA server first add direct membership to b and then remove it so we are back to the initial state. I did not show it but the command above gives same output at the end.
What is odd - group c was not removed. It seems like processing of nested groups is not done at all. Clearing sssd cache is a workaround but sssd should handle it without the need for it.
Ah, I can see it now. Thank you. I will try to reproduce it.
Metadata Update from @jhrozek: - Issue assigned to pbrezina
Ok, I can reproduce it.
Original member of is correct, but the computed memberOf attribute no longer contains group b.
First resolution with indirect groups:
dn: name=u1@ipa,cn=users,cn=IPA,cn=sysdb createTimestamp: 1521114023 fullName: u 1 gecos: u 1 gidNumber: 1201400004 homeDirectory: /home/u1 loginShell: /bin/sh name: u1@ipa objectClass: user uidNumber: 1201400004 objectSIDString: S-1-5-21-3955793650-2509659430-1926151017-1004 uniqueID: a7ca3e44-2844-11e8-a197-525400b9efec originalDN: uid=u1,cn=users,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=a,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=b,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=c,cn=groups,cn=accounts,dc=ipa,dc=vm originalModifyTimestamp: 20180315113729Z entryUSN: 1922 userPrincipalName: u1@IPA.VM krbLastPwdChange: 20180315113631Z krbPasswordExpiration: 20180613113631Z mail: u1@ipa.vm nameAlias: u1@ipa isPosix: TRUE lastUpdate: 1521114023 dataExpireTimestamp: 1521119423 overrideDN: name=u1@ipa,cn=users,cn=IPA,cn=sysdb memberof: name=ipausers@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=c@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=b@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=a@ipa,cn=groups,cn=IPA,cn=sysdb initgrExpireTimestamp: 1521119423 ccacheFile: KCM: distinguishedName: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
After add/remove direct group:
# record 17 dn: name=u1@ipa,cn=users,cn=IPA,cn=sysdb createTimestamp: 1521113733 fullName: u 1 gecos: u 1 gidNumber: 1201400004 homeDirectory: /home/u1 loginShell: /bin/sh name: u1@ipa objectClass: user uidNumber: 1201400004 objectSIDString: S-1-5-21-3955793650-2509659430-1926151017-1004 uniqueID: a7ca3e44-2844-11e8-a197-525400b9efec originalDN: uid=u1,cn=users,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=a,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=b,cn=groups,cn=accounts,dc=ipa,dc=vm originalMemberOf: cn=c,cn=groups,cn=accounts,dc=ipa,dc=vm userPrincipalName: u1@IPA.VM mail: u1@ipa.vm nameAlias: u1@ipa isPosix: TRUE overrideDN: name=u1@ipa,cn=users,cn=IPA,cn=sysdb initgrExpireTimestamp: 1521119133 ccacheFile: KCM: lastOnlineAuthWithCurrentToken: 0 originalModifyTimestamp: 20180315113631Z entryUSN: 1917 krbLastPwdChange: 20180315113631Z krbPasswordExpiration: 20180613113631Z lastUpdate: 1521113798 dataExpireTimestamp: 1521119198 memberof: name=ipausers@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=a@ipa,cn=groups,cn=IPA,cn=sysdb memberof: name=c@ipa,cn=groups,cn=IPA,cn=sysdb distinguishedName: name=u1@ipa,cn=users,cn=IPA,cn=sysdb
Hi, I have prepared a scratch build for you. Would you mind to test it? Thanks.
https://pbrezina.fedorapeople.org/scratch/memberof/
It works. Thanks.
Metadata Update from @jhrozek: - Issue close_status updated to: Fixed - Issue set to the milestone: SSSD 2.2 - Issue status updated to: Closed (was: Open)
sssd-1-16
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4657
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.