Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-154534

SSSD regression - getent group no longer enumerates external group members in sssd-ipa-2.12.0

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • rhel-10.2
    • sssd
    • None
    • Yes
    • None
    • rhel-idm
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      When AD users are added as external members to an IPA external group (which is a member of an IPA POSIX group), the `getent group <posix_group>` command should list the AD users as members. This functionality works correctly in RHEL 10.1 with sssd-ipa-2.11.1 but fails in RHEL 10.2 with sssd-ipa-2.12.0.

      What is the impact of this issue to you?

      This is a regression that breaks the ability to enumerate external group members via `getent group`. Applications and scripts that rely on `getent group` to discover AD user membership in IPA POSIX groups will no longer function correctly. This affects AD trust environments where external groups are used to manage AD user access.

      Please provide the package NVR for which the bug is seen:

      • Working: sssd-ipa-2.11.1-2.el10_1.1.x86_64 (RHEL 10.1)
      • Broken: sssd-ipa-2.12.0-1.el10.x86_64 (RHEL 10.2)

      How reproducible is this bug?

      100% reproducible

      Steps to reproduce

      1. Set up IPA server with AD trust
      2. Create an external group:
         ipa group-add tgroup5_external --external
      3. Create a POSIX group:
         ipa group-add tgroup5
      4. Add the external group as a member of the POSIX group:
         ipa group-add-member tgroup5 --groups=tgroup5_external
      5. Add AD users as external members:
         ipa group-add-member tgroup5_external --external=nonposixuser@ad.domain
         ipa group-add-member tgroup5_external --external=nonposixuser1@ad.domain
      6. Clear SSSD cache and resolve the users:
         systemctl stop sssd
         rm -rf /var/lib/sss/{db,mc}/*
         systemctl start sssd
         id nonposixuser@ad.domain
         id nonposixuser1@ad.domain
      7. Query the group membership:
         getent group tgroup5

      Expected results

      `getent group tgroup5` should return the group with AD users listed as members:
      tgroup5:*:164600004:nonposixuser1@ad-ovj0.test,nonposixuser@ad-ovj0.test

      Actual results

      `getent group tgroup5` returns the group without any members:
      tgroup5:*:406600004:

      Additional Evidence

      RHEL 10.1 (sssd-ipa-2.11.1) - WORKING:**

      RUN ['getent', 'group', 'tgroup5']
      tgroup5:*:164600004:nonposixuser1@ad-ovj0.test,nonposixuser@ad-ovj0.test
      Exit code: 0

      RHEL 10.2 (sssd-ipa-2.12.0) - BROKEN:**

      RUN ['getent', 'group', 'tgroup5']
      tgroup5:*:406600004:
      Exit code: 0

      Note: The `id` command still shows the users are members of the group (via initgroups), but `getent group` enumeration is broken.

      This appears to be a regression in SSSD's group member enumeration for external/trusted domain users between versions 2.11.1 and 2.12.0.

              sssd-maint SSSD Maintainers
              rh-ee-pthube PRANAV THUBE
              SSSD Maintainers SSSD Maintainers
              SSSD QE SSSD QE
              Louise McGarry Louise McGarry
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: