Skip to content

sdap: include sub-domain memberships in updates #7922

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

sdap: include sub-domain memberships in updates #7922

wants to merge 1 commit into from

Conversation

sumit-bose
Copy link
Contributor

While looking up group memberships from the cache only groups from the
user's domain were taken into account because of the cache search base.
As a result memberships in other domains were not updated.

With this patch the whole cache is searched and hence memberships from
all domains will be updated.

Resolves: #7921

@sumit-bose
sdap: include sub-domain memberships in updates
f547493 
While looking up group memberships from the cache only groups from the
user's domain were taken into account because of the cache search base.
As a result memberships in other domains were not updated.

With this patch the whole cache is searched and hence memberships from
all domains will be updated.

Resolves: SSSD#7921
justin-stephenson
justin-stephenson approved these changes Apr 15, 2025
View reviewed changes
Copy link
Contributor

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal of 'ad_admins' POSIX group works with this PR.

[root@master /]# rpm -q sssd-client
sssd-client-9.pr7922-06510.fc42.x86_64
[root@master /]# id [email protected]
uid=1157400500([email protected]) gid=1157400500([email protected]) groups=1157400500([email protected]),1157400520(group policy creator [email protected]),1157400519(enterprise [email protected]),1157400512(domain [email protected]),1157400518(schema [email protected]),1572600006(ad_admins),1157400513(domain [email protected])
[root@master /]# ipa group-remove-member ad_admins_external --external [email protected]
[member user]: 
[member group]: 
[member service]: 
[member User ID override]: 
  Group name: ad_admins_external
  External member: 
  Member of groups: ad_admins
---------------------------
Number of members removed 1
---------------------------
[root@master /]# sssctl cache-expire -u [email protected]
[root@master /]# id [email protected]
uid=1157400500([email protected]) gid=1157400500([email protected]) groups=1157400500([email protected]),1157400520(group policy creator [email protected]),1157400519(enterprise [email protected]),1157400512(domain [email protected]),1157400518(schema [email protected]),1157400513(domain [email protected])

@sumit-bose
Copy link
Contributor Author

Removal of 'ad_admins' POSIX group works with this PR.

Hi,

thanks for testing, did you use ldap_use_tokengroups = False and subdomain_inherit = ldap_use_tokengroups in sssd.conf on the IPA server?

bye,
Sumit

@justin-stephenson
Copy link
Contributor

Removal of 'ad_admins' POSIX group works with this PR.

Hi,

thanks for testing, did you use ldap_use_tokengroups = False and subdomain_inherit = ldap_use_tokengroups in sssd.conf on the IPA server?

bye, Sumit

Yes, I tested only on the IPA server, and with these options.

@sumit-bose
Copy link
Contributor Author

Removal of 'ad_admins' POSIX group works with this PR.

Hi,
thanks for testing, did you use ldap_use_tokengroups = False and subdomain_inherit = ldap_use_tokengroups in sssd.conf on the IPA server?
bye, Sumit

Yes, I tested only on the IPA server, and with these options.

Thanks

@alexey-tikhonov alexey-tikhonov added branch: sssd-2-9-4 Corresponds to C8S coverity Trigger a coverity scan labels Apr 16, 2025
@aplopez
Copy link
Contributor

aplopez commented Apr 16, 2025

Is it needed to replace the domain by NULL also in the call to sysdb_get_direct_parents() in sdap_async_initgroups_ad.c:1411? It is really not clear to me.

@sumit-bose
Copy link
Contributor Author

Is it needed to replace the domain by NULL also in the call to sysdb_get_direct_parents() in sdap_async_initgroups_ad.c:1411? It is really not clear to me.

Hi,

I agree that it is hard to follow what is going on here, but the current code is ok imo. The whole surrounding tevent req is to check for membership of users from other domains in "domain local" groups of the local domain, i.e. the domain the client is joined to and which is configured in sssd.conf. Since "domain local" groups are only valid in the domain they are define they are e.g. not returned in the tokenGroups for users from other domains because we are sending this request to a DC of the remote domain the user is coming from. So we have to add membership in "domain local" groups from the local domain in an additional run and here we are only interested in the groups from the local domain.

HTH

bye,
Sumit

@aplopez
Copy link
Contributor

aplopez commented Apr 16, 2025

I agree that it is hard to follow what is going on here, but the current code is ok imo.

Thanks for the explanation. ACK.

@alexey-tikhonov alexey-tikhonov added Accepted and removed coverity Trigger a coverity scan labels Apr 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justin-stephenson justin-stephenson justin-stephenson approved these changes

@aplopez aplopez aplopez approved these changes

Assignees

@justin-stephenson justin-stephenson

@aplopez aplopez

Labels
Accepted branch: sssd-2-9-4 Corresponds to C8S branch: sssd-2-9 Bugzilla
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AD user in external group is not cleared when expiring the cache
4 participants
@sumit-bose @justin-stephenson @aplopez @alexey-tikhonov