Hi,
this patch fixes an issue with the handling of universal groups. You can reproduce it with the following steps either with the AD provider in an AD forest with multiple domains or with the IPA provider and trust to an AD forest with multiple domains and a universal group: - start with an empty cache - getent group universal_group@dom1.ad - ldbsearch -H /path/to/cache name=universal_group@dom1.ad
the cached object only has ghost members because no users are resolved
- getent passwd group_member@dom2.ad - ldbsearch -H /path/to/cache name=universal_group@dom1.ad
if a group member from a different domain than the group itself is resolved the ghost entry is not removed.
bye, Sumit
On Fri, Jan 23, 2015 at 04:39:03PM +0100, Sumit Bose wrote:
Hi,
this patch fixes an issue with the handling of universal groups. You can reproduce it with the following steps either with the AD provider in an AD forest with multiple domains or with the IPA provider and trust to an AD forest with multiple domains and a universal group:
- start with an empty cache
- getent group universal_group@dom1.ad
- ldbsearch -H /path/to/cache name=universal_group@dom1.ad
the cached object only has ghost members because no users are resolved
- getent passwd group_member@dom2.ad
- ldbsearch -H /path/to/cache name=universal_group@dom1.ad
if a group member from a different domain than the group itself is resolved the ghost entry is not removed.
bye, Sumit
ACK
tested on an IPA server with trusts.
On Fri, Jan 23, 2015 at 09:26:27PM +0100, Jakub Hrozek wrote:
On Fri, Jan 23, 2015 at 04:39:03PM +0100, Sumit Bose wrote:
Hi,
this patch fixes an issue with the handling of universal groups. You can reproduce it with the following steps either with the AD provider in an AD forest with multiple domains or with the IPA provider and trust to an AD forest with multiple domains and a universal group:
- start with an empty cache
- getent group universal_group@dom1.ad
- ldbsearch -H /path/to/cache name=universal_group@dom1.ad
the cached object only has ghost members because no users are resolved
- getent passwd group_member@dom2.ad
- ldbsearch -H /path/to/cache name=universal_group@dom1.ad
if a group member from a different domain than the group itself is resolved the ghost entry is not removed.
bye, Sumit
ACK
tested on an IPA server with trusts.
* master: fc2146c108e28d50bbf691925cedf9592142dd14 * sssd-1-12: 20f4640cd4dbec3a91b615611a4adc418ffae91c
On Fri, Jan 23, 2015 at 09:54:51PM +0100, Jakub Hrozek wrote:
On Fri, Jan 23, 2015 at 09:26:27PM +0100, Jakub Hrozek wrote:
On Fri, Jan 23, 2015 at 04:39:03PM +0100, Sumit Bose wrote:
Hi,
this patch fixes an issue with the handling of universal groups. You can reproduce it with the following steps either with the AD provider in an AD forest with multiple domains or with the IPA provider and trust to an AD forest with multiple domains and a universal group:
- start with an empty cache
- getent group universal_group@dom1.ad
- ldbsearch -H /path/to/cache name=universal_group@dom1.ad
the cached object only has ghost members because no users are resolved
- getent passwd group_member@dom2.ad
- ldbsearch -H /path/to/cache name=universal_group@dom1.ad
if a group member from a different domain than the group itself is resolved the ghost entry is not removed.
bye, Sumit
ACK
tested on an IPA server with trusts.
- master: fc2146c108e28d50bbf691925cedf9592142dd14
- sssd-1-12: 20f4640cd4dbec3a91b615611a4adc418ffae91c
I forgot to send the CI link along with the ACK: http://sssd-ci.idm.lab.eng.brq.redhat.com:8080/job/ci/662/
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Sumit Bose