#3682 Indirect group membership lost when direct removed

Created 2 months ago by pbenas
Modified a month ago

When user is granted group membership both indirectly and directly and the direct membership is removed, SSSD seems to start ignoring the indirect membership. Does not seem to be an issue of FreeIPA, looks ok both in LDAP and the WebUI. Also might be related to the fact the top-level and the target groups are posix, while the middle one is not.

[root@ipa01:~] ipa user-add tester --first t --last ester
[root@ipa01:~] ipa group-add first-level
[root@ipa01:~] ipa group-add second-level --nonposix
[root@ipa01:~] ipa group-add third-level
[root@ipa01:~] ipa group-add-member third-level --groups second-level
[root@ipa01:~] ipa group-add-member second-level --groups first-level
[root@ipa01:~] ipa group-add-member first-level --users tester

[root@ipa01:~] sss_cache -E
[root@ipa01:~] id tester
uid=564800017(tester) gid=564800017(tester) groups=564800017(tester),564800018(first-level),564800019(third-level)

[root@ipa01:~] ipa group-add-member third-level --users tester
[root@ipa01:~] sss_cache -E
[root@ipa01:~] id tester
uid=564800017(tester) gid=564800017(tester) groups=564800017(tester),564800018(first-level),564800019(third-level)

[root@ipa01:~] ipa group-remove-member third-level --users tester
[root@ipa01:~] sss_cache -E
[root@ipa01:~] id tester
uid=564800017(tester) gid=564800017(tester) groups=564800017(tester),564800018(first-level)

[root@ipa01:~] ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=devgdc,dc=com uid=tester memberOf 2>/dev/null | grep third
memberOf: cn=third-level,cn=groups,cn=accounts,dc=devgdc,dc=com

[root@ipa01:~] rpm -qa ipa\* sssd\* | sort
ipa-client-4.5.0-22.el7.centos.x86_64
ipa-client-common-4.5.0-22.el7.centos.noarch
ipa-common-4.5.0-22.el7.centos.noarch
ipa-server-4.5.0-22.el7.centos.x86_64
ipa-server-common-4.5.0-22.el7.centos.noarch
ipa-server-dns-4.5.0-22.el7.centos.noarch
sssd-1.15.2-50.el7_4.11.x86_64
sssd-ad-1.15.2-50.el7_4.11.x86_64
sssd-client-1.15.2-50.el7_4.11.x86_64
sssd-common-1.15.2-50.el7_4.11.x86_64
sssd-common-pac-1.15.2-50.el7_4.11.x86_64
sssd-dbus-1.15.2-50.el7_4.11.x86_64
sssd-ipa-1.15.2-50.el7_4.11.x86_64
sssd-krb5-1.15.2-50.el7_4.11.x86_64
sssd-krb5-common-1.15.2-50.el7_4.11.x86_64
sssd-ldap-1.15.2-50.el7_4.11.x86_64
sssd-proxy-1.15.2-50.el7_4.11.x86_64

This is most likely a duplicate of: https://pagure.io/SSSD/sssd/issue/3636

I sent a pull request couple minutes ago.

2 months ago

Metadata Update from @pbrezina:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

Thanks, I'm happy to re-test when packages with the fix will be available.

2 months ago

Metadata Update from @pbenas:
- Issue status updated to: Open (was: Closed)

Hi, I have prepared a scratch build for you. Would you mind to test it? Thanks.

https://pbrezina.fedorapeople.org/scratch/memberof/

Hi,

it looks good. The initial propagation of membership took a while, but I'm unable to reproduce with the scratch builds you've provided. Thanks!

[root@ipa01:~] ipa group-add-member first-level --users tester
  Group name: first-level
  GID: 564800027
  Member users: tester
  Member of groups: second-level
  Indirect Member of group: third-level
-------------------------
Number of members added 1
-------------------------

18/04/16 15:23:27 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] sss_cache -E

18/04/16 15:23:34 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] id tester
uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800023

18/04/16 15:23:43 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] sss_cache -E

18/04/16 15:24:21 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] id tester
uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800024,564800027(first-level)

18/04/16 15:24:23 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] sss_cache -E

18/04/16 15:25:06 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] id tester
uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800027(first-level),564800028(third-level)

18/04/16 15:25:08 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] ipa group-add-member third-level --users tester
  Group name: third-level
  GID: 564800028
  Member users: tester
  Member groups: second-level
  Indirect Member groups: first-level
-------------------------
Number of members added 1
-------------------------

18/04/16 15:25:28 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] sss_cache -E

18/04/16 15:25:32 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] id tester
uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800027(first-level),564800028(third-level)

18/04/16 15:25:35 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] ipa group-remove-member third-level --users tester
  Group name: third-level
  GID: 564800028
  Member groups: second-level
  Indirect Member users: tester
  Indirect Member groups: first-level
---------------------------
Number of members removed 1
---------------------------

18/04/16 15:25:46 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] sss_cache -E

18/04/16 15:25:55 rack-na/freeipa (rest-pg-minimal)
[root@ipa01:~] id tester
uid=564800026(tester) gid=564800026(tester) groups=564800026(tester),564800027(first-level),564800028(third-level)

Login to comment on this ticket.

cancel