URL: https://github.com/SSSD/sssd/pull/170 Title: #170: PROXY: Remove duplicit users from group
celestian commented: """ So, @lslebodn and me looked at how to test this patch. Unfortunately we found out that proxy code uses ```nss_files_getgrnam_r``` which is not mocked by ```libnss_wrapper```.
The reviewer could inspire there: ``` Configuration:
# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = shadowutils debug_level = 0xFFFF0
[nss] filter_groups = root filter_users = root debug_level = 0xFFFF0
[pam] offline_credentials_expiration = 365 debug_level = 0xFFFF0
[domain/shadowutils] id_provider = proxy proxy_lib_name = files
auth_provider = proxy proxy_pam_target = sssd-shadowutils proxy_fast_alias = True debug_level = 0xFFFF0
# cat /etc/nsswitch.conf [...] passwd: files sss shadow: files sss group: sss
Preparation:
useradd test_user groupadd test_group usermod -a -G test_group test_user
# And manualy add test_user to /etc/group to test_group again, so it looks like: # [...] # test_group:x:1001:test_user,test_user
Reproducer:
systemctl stop sssd rm -fR /var/lib/sss/db/*.ldb systemctl start sssd truncate -s0 /var/log/sssd/*.log getent group test_group ``` """
See the full comment at https://github.com/SSSD/sssd/pull/170#issuecomment-283878254