Hi, the attached patches implement https://fedorahosted.org/sssd/ticket/2522 Here is what I tested: 1) topgr -> bottomgr -> extgr -> administrator(a)win.trust.test - this is a simple case to test a member of an external group 2) ipa_uni -> ipa_uni_ext -> unigroup(a)win.trust.test | +-- userfromchild(a)child.win.trust.test \- anotheruser(a)win.trust.test - this is to test that a universal group with members from two domains resolves correctly 3) idm_admin -> idm_admin_ext -> extgroup(a)win.trust.test \- puser(a)win.trust.test -> someuser(a)win.trust.test - tests that a combination of user and group members work 4) toc_admin -> toc_admin_ext -> someuser(a)win.trust.test -> someuser(a)child.win.trust.test - tests that two users with the same name from different domains work correctly I also tested adding and removing group members and found some bugs in our groups processing (#2940, #2952) Please feel free to suggest more tests. If the patches are accepted, I'll also add unit tests for the nested groups code, but currently we need to make the patches available to upstream. I also tested a combination of user lookups and group lookups, especially with someuser to test that the initgroups and group lookups play well together. And that's where I found one issue that I think we should fix in master -- the initgroups code adds the external members as direct members of the POSIX group, so I did the same in the group lookup code. This is safer, but doesn't allow us to remove the hack we have (6fac5e5f0c54a0f92872ce1450606cfcb577a920) to retain external members. I think in 1.14 it would be more systematic to store the group membership as: gr -> ext_gr -> ad_member rather than: gr -> ext_gr -> ad_member The reason we can't remove those hacks is that if the external group is up-to-date and only the top group is resolved, we would only write the group memberships as stored in LDAP, effectively removing the AD memberships. This of course depends on fixing the issues in memberof plugin, but I still think it's worth it. The current code works well, though, so I guess we can accept it for 1.13. Our initgroups code should be well equipped to handle that and we could remove the hacks we have at the moment.

On Tue, Feb 23, 2016 at 09:37:57PM +0100, Jakub Hrozek wrote: > On Mon, Feb 22, 2016 at 06:04:07PM +0100, Jakub Hrozek wrote: > > Hi, > > > > the attached patches implement https://fedorahosted.org/sssd/ticket/2522 > > > > Here is what I tested: > > 1) topgr -> bottomgr -> extgr -> administrator(a)win.trust.test > > - this is a simple case to test a member of an external group > > > > 2) ipa_uni -> ipa_uni_ext -> unigroup(a)win.trust.test > > | > > +-- userfromchild(a)child.win.trust.test > > \- anotheruser(a)win.trust.test > > > > - this is to test that a universal group with members from two > > domains resolves correctly > > > > 3) idm_admin -> idm_admin_ext -> extgroup(a)win.trust.test > > \- puser(a)win.trust.test > > -> someuser(a)win.trust.test > > - tests that a combination of user and group members work > > > > 4) toc_admin -> toc_admin_ext -> someuser(a)win.trust.test > > -> someuser(a)child.win.trust.test > > - tests that two users with the same name from different domains > > work correctly > > > > I also tested adding and removing group members and found some bugs in > > our groups processing (#2940, #2952) > > > > Please feel free to suggest more tests. If the patches are accepted, > > I'll also add unit tests for the nested groups code, but currently we > > need to make the patches available to upstream. > > > > I also tested a combination of user lookups and group lookups, > > especially with someuser to test that the initgroups and group lookups > > play well together. And that's where I found one issue that I think we > > should fix in master -- the initgroups code adds the external members as > > direct members of the POSIX group, so I did the same in the group > > lookup code. This is safer, but doesn't allow us to remove the hack we > > have (6fac5e5f0c54a0f92872ce1450606cfcb577a920) to retain external > > members. > > > > I think in 1.14 it would be more systematic to store the group > > membership as: > > gr -> ext_gr -> ad_member > > rather than: > > gr -> ext_gr > > -> ad_member > > > > The reason we can't remove those hacks is that if the external group is > > up-to-date and only the top group is resolved, we would only write the > > group memberships as stored in LDAP, effectively removing the AD > > memberships. This of course depends on fixing the issues in memberof > > plugin, but I still think it's worth it. The current code works well, > > though, so I guess we can accept it for 1.13. > > > > Our initgroups code should be well equipped to handle that and we could > > remove the hacks we have at the moment. > > The attached patches fix issues in the reallocation logic that Sumit > found during his review. Only the third patch had changed. Thank you. I do not have additional comments on the code and the patches work well in my test. I tested with nested groups on the AD and IPA side as well to put even more groups between the group with them members in AD and the group looked up on the IPA side but all worked well. CI passed as well http://sssd-ci.duckdns.org/logs/job/37/87/summary.html so ACK. Btw, about the change you suggested to store the AD members in the external groups. All PAC processing does not know about the external group and can only lookup up and add the AD members to the real group. So I'm not sure if this change is really needed. bye, Sumit