Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1698118
Description of problem: After migration from winsync agreement to trust using ipa-winsync-migrate tool, wrapper groups are created to preserve membership of users in groups, hbac rules, selinuxusermaps and roles. For example: for roles the template for the wrapper groups is "role_%s_winsync_external", with %s substituted with role name. Names of hbac rules, selinuxusermaps and roles can contain non-posix characters, so names of objects are sanitized before creating wrapper groups. Sanitation is done by replacing spaces with underscores and removing all other non-posix characters. This means that different original names can produce same sanitized name, for example 'role 1' and 'role_1' both produce group name "role_role_1_winsync_external". ipa-winsync-migrate tries to solve this issue by creating unique group names like "role_role_1_winsync_external", "role_role_1_winsync_external1", "role_role_1_winsync_external2". The problem is that migrated user is added only to the first of those groups, so only one of original roles is applied to the user.
How reproducible: Always
Steps to Reproduce: 1. install ipa server 2. on AD side create user testuser 3. establish winsync replication agreement with AD 4. create roles: ipa role-add "collision role" ipa role-add "collision, role" ipa role-add "collision_role" 5. assign roles to user ipa role-add-member "collision role" --user testuser ipa role-add-member "collision, role" --user testuser ipa role-add-member "collision_role" --user testuser 6. Check user is added to all roles: ipa role-show "collision role" ipa role-show "collision, role" ipa role-show "collision_role" 7. establish trust with AD 8. establish winsync replication agreement with AD 9. check created wrapper groups: ipa group-show role_collision_role_winsync_external ipa group-show role_collision_role_winsync_external1 ipa group-show role_collision_role_winsync_external2
Actual results:
# ipa group-show role_collision_role_winsync_external Group name: role_collision_role_winsync_external External member: testuser@ad.test Roles: collision role # ipa group-show role_collision_role_winsync_external1 Group name: role_collision_role_winsync_external1 Indirect Member of role: collision, role # ipa group-show role_collision_role_winsync_external2 Group name: role_collision_role_winsync_external2 Roles: collision_role
Expected results:
# ipa group-show role_collision_role_winsync_external Group name: role_collision_role_winsync_external External member: testuser@ad.test Roles: collision role # ipa group-show role_collision_role_winsync_external1 Group name: role_collision_role_winsync_external1 External member: testuser@ad.test Roles: collision, role # ipa group-show role_collision_role_winsync_external2 Group name: role_collision_role_winsync_external2 External member: testuser@ad.test Roles: collision_role
An automated test exists for the issue: https://github.com/freeipa/freeipa/blob/05d69c8c325215778645bf8172ce6f8fc746bd1d/ipatests/test_integration/test_winsyncmigrate.py#L226
Login to comment on this ticket.