Learn more about these different git repos.
Other Git URLs
When user is granted group membership both indirectly and directly and the direct membership is removed, SSSD seems to start ignoring the indirect membership. Does not seem to be an issue of FreeIPA, looks ok both in LDAP and the WebUI. Also might be related to the fact the top-level and the target groups are posix, while the middle one is not.
[root@ipa01:~] ipa user-add tester --first t --last ester [root@ipa01:~] ipa group-add first-level [root@ipa01:~] ipa group-add second-level --nonposix [root@ipa01:~] ipa group-add third-level [root@ipa01:~] ipa group-add-member third-level --groups second-level [root@ipa01:~] ipa group-add-member second-level --groups first-level [root@ipa01:~] ipa group-add-member first-level --users tester [root@ipa01:~] sss_cache -E [root@ipa01:~] id tester uid=564800017(tester) gid=564800017(tester) groups=564800017(tester),564800018(first-level),564800019(third-level) [root@ipa01:~] ipa group-add-member third-level --users tester [root@ipa01:~] sss_cache -E [root@ipa01:~] id tester uid=564800017(tester) gid=564800017(tester) groups=564800017(tester),564800018(first-level),564800019(third-level) [root@ipa01:~] ipa group-remove-member third-level --users tester [root@ipa01:~] sss_cache -E [root@ipa01:~] id tester uid=564800017(tester) gid=564800017(tester) groups=564800017(tester),564800018(first-level) [root@ipa01:~] ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=devgdc,dc=com uid=tester memberOf 2>/dev/null | grep third memberOf: cn=third-level,cn=groups,cn=accounts,dc=devgdc,dc=com [root@ipa01:~] rpm -qa ipa\* sssd\* | sort ipa-client-4.5.0-22.el7.centos.x86_64 ipa-client-common-4.5.0-22.el7.centos.noarch ipa-common-4.5.0-22.el7.centos.noarch ipa-server-4.5.0-22.el7.centos.x86_64 ipa-server-common-4.5.0-22.el7.centos.noarch ipa-server-dns-4.5.0-22.el7.centos.noarch sssd-1.15.2-50.el7_4.11.x86_64 sssd-ad-1.15.2-50.el7_4.11.x86_64 sssd-client-1.15.2-50.el7_4.11.x86_64 sssd-common-1.15.2-50.el7_4.11.x86_64 sssd-common-pac-1.15.2-50.el7_4.11.x86_64 sssd-dbus-1.15.2-50.el7_4.11.x86_64 sssd-ipa-1.15.2-50.el7_4.11.x86_64 sssd-krb5-1.15.2-50.el7_4.11.x86_64 sssd-krb5-common-1.15.2-50.el7_4.11.x86_64 sssd-ldap-1.15.2-50.el7_4.11.x86_64 sssd-proxy-1.15.2-50.el7_4.11.x86_64
This is most likely a duplicate of: https://pagure.io/SSSD/sssd/issue/3636
I sent a pull request couple minutes ago.
Metadata Update from @pbrezina: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Thanks, I'm happy to re-test when packages with the fix will be available.
Metadata Update from @pbenas: - Issue status updated to: Open (was: Closed)
Hi, I have prepared a scratch build for you. Would you mind to test it? Thanks.
https://pbrezina.fedorapeople.org/scratch/memberof/
Hi,
it looks good. The initial propagation of membership took a while, but I'm unable to reproduce with the scratch builds you've provided. Thanks!
[root@ipa01:~] ipa group-add-member first-level --users tester Group name: first-level GID: 564800027 Member users: tester Member of groups: second-level Indirect Member of group: third-level ------------------------- Number of members added 1 ------------------------- 18/04/16 15:23:27 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] sss_cache -E 18/04/16 15:23:34 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] id tester uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800023 18/04/16 15:23:43 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] sss_cache -E 18/04/16 15:24:21 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] id tester uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800024,564800027(first-level) 18/04/16 15:24:23 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] sss_cache -E 18/04/16 15:25:06 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] id tester uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800027(first-level),564800028(third-level) 18/04/16 15:25:08 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] ipa group-add-member third-level --users tester Group name: third-level GID: 564800028 Member users: tester Member groups: second-level Indirect Member groups: first-level ------------------------- Number of members added 1 ------------------------- 18/04/16 15:25:28 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] sss_cache -E 18/04/16 15:25:32 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] id tester uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800027(first-level),564800028(third-level) 18/04/16 15:25:35 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] ipa group-remove-member third-level --users tester Group name: third-level GID: 564800028 Member groups: second-level Indirect Member users: tester Indirect Member groups: first-level --------------------------- Number of members removed 1 --------------------------- 18/04/16 15:25:46 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] sss_cache -E 18/04/16 15:25:55 rack-na/freeipa (rest-pg-minimal) [root@ipa01:~] id tester uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800027(first-level),564800028(third-level)
Metadata Update from @pbrezina: - Custom field design_review adjusted to on - Custom field mark adjusted to on - Custom field patch adjusted to on - Custom field review adjusted to on - Custom field sensitive adjusted to on - Custom field testsupdated adjusted to on - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4701
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.