#7375 External members of an external group aren't resolved when initially populating the compat tree
Opened a year ago by rcritten. Modified a year ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1535547

Description of problem: external members of an external group aren't resolved
when initially populating the compat tree


Version-Release number of selected component (if applicable):
ipa-server-4.5.4-8.el7.x86_64
389-ds-base-1.3.7.5-11.el7.x86_64

How reproducible:

Steps to Reproduce:
[root@master ~]# ipa group-add idmgroupstestext0002 --external
----------------------------------
Added group "idmgroupstestext0002"
----------------------------------
  Group name: idmgroupstestext0002
[root@master ~]# ipa group-add idmgroupstest0002
-------------------------------
Added group "idmgroupstest0002"
-------------------------------
  Group name: idmgroupstest0002
  GID: 1896600007
[root@master ~]# ipa group-add-member idmgroupstest0002
--groups=idmgroupstestext0002
  Group name: idmgroupstest0002
  GID: 1896600007
  Member groups: idmgroupstestext0002
-------------------------
Number of members added 1
-------------------------
[root@master ~]# ipa group-add-member idmgroupstestext0002
--external=aduser1@pne.qe
[member user]:
[member group]:
  Group name: idmgroupstestext0002
  External member: S-1-5-21-2202318585-426110948-4011710778-5281
  Member of groups: idmgroupstest0002
-------------------------
Number of members added 1
-------------------------
[root@master ~]# date ; sss_cache -u aduser1@pne.qe
Wed Jan 17 17:17:53 IST 2018
[root@master ~]# date ; id aduser1@pne.qe
Wed Jan 17 17:18:01 IST 2018
uid=1261605281(aduser1@pne.qe) gid=1261605281(aduser1@pne.qe)
groups=1261605281(aduser1@pne.qe),1261600513(domain users@pne.qe),1261602139(ad
unigroup1@pne.qe),1261601559(adgroup1@pne.qe),1261601629(adgroup2@pne.qe),18966
00007(idmgroupstest0002)

[root@master ~]# date ; getent group idmgroupstest0002@sdr2k16.test
Wed Jan 17 17:21:11 IST 2018
idmgroupstest0002:*:1896600007:aduser1@pne.qe

[root@master ~]# date ; ldapsearch -ZZ -h master.sdr2k16.test -D "cn=directory
manager" -w Secret123 -b "cn=compat,dc=sdr2k16,dc=test" -s sub
"(&(cn=idmgroupstest0002))"
Wed Jan 17 17:22:03 IST 2018
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=sdr2k16,dc=test> with scope subtree
# filter: (&(cn=idmgroupstest0002))
# requesting: ALL
#

# idmgroupstest0002, groups, compat, sdr2k16.test
dn: cn=idmgroupstest0002,cn=groups,cn=compat,dc=sdr2k16,dc=test
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 1896600007
ipaAnchorUUID:: OklQQTpzZHIyazE2LnRlc3Q6MmQzMWY2ZGEtZmI3Yy0xMWU3LWIxMGItNTI1ND
 AwZWE2NWE1
cn: idmgroupstest0002

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

[root@master ~]# systemctl restart dirsrv@SDR2K16-TEST.service
[root@master ~]# date ; ldapsearch -ZZ -h master.sdr2k16.test -D "cn=directory
manager" -w Secret123 -b "cn=compat,dc=sdr2k16,dc=test" -s sub
"(&(cn=idmgroupstest0002))"
Wed Jan 17 17:36:24 IST 2018
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=sdr2k16,dc=test> with scope subtree
# filter: (&(cn=idmgroupstest0002))
# requesting: ALL
#

# idmgroupstest0002, groups, compat, sdr2k16.test
dn: cn=idmgroupstest0002,cn=groups,cn=compat,dc=sdr2k16,dc=test
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 1896600007
ipaAnchorUUID:: OklQQTpzZHIyazE2LnRlc3Q6MmQzMWY2ZGEtZmI3Yy0xMWU3LWIxMGItNTI1ND
 AwZWE2NWE1
cn: idmgroupstest0002

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
Actual results:


Expected results: External members of an external group should be resolved,
while initially populating the compat tree.


Additional info: attached sssd logs

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1535547

a year ago

Metadata Update from @rcritten:
- Issue priority set to: important

a year ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.6.3)

a year ago

FreeIPA 4.6.3 has been released, moving to FreeIPA 4.6.4 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

a year ago

Login to comment on this ticket.

Metadata