-
Notifications
You must be signed in to change notification settings - Fork 252
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ipa: do not go offline if group does not have SID
This happens during applying overrides on cached group during initgroups of trusted user. If the group does not have SID (it's GID is outside the sidgen range), SSSD goes offline. Only SSSD running in server_mode is affected. This patch ignores error in single group and rather continues processing the remaining groups. Resolves: #6942
- Loading branch information
Showing
2 changed files
with
111 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
""" | ||
Identity of trusted users and groups. | ||
:requirement: todo | ||
""" | ||
|
||
from __future__ import annotations | ||
|
||
import pytest | ||
from sssd_test_framework.roles.ipa import IPA | ||
from sssd_test_framework.roles.generic import GenericADProvider | ||
from sssd_test_framework.topology import KnownTopologyGroup | ||
|
||
|
||
@pytest.mark.importance("low") | ||
@pytest.mark.ticket(jira="RHEL-3925", gh=6942) | ||
@pytest.mark.topology(KnownTopologyGroup.IPATrust) | ||
def test_trust_identity__group_without_sid(ipa: IPA, trusted: GenericADProvider): | ||
""" | ||
:title: Subdomain goes offline if IPA group is missing SID | ||
:setup: | ||
1. Create IPA external group "external-group" and add AD user "Administrator" as a member | ||
2. Create IPA posix group "posix-group" and add "external-group" as a member | ||
3. Clear SSSD cache and logs on IPA server | ||
4. Restart SSSD on IPA server | ||
:steps: | ||
1. Resolve user "Administrator@addomain" | ||
2. Expire user "Administrator@addomain" | ||
3. Resolve user "Administrator@addomain" | ||
4. Run "sssctl domain-status addomain" | ||
:expectedresults: | ||
1. User is resolved and member of posix-group | ||
2. User is expired in SSSD cache | ||
3. User is resolved and member of posix-group | ||
4. The Active Directory domain is still online | ||
:customerscenario: True | ||
""" | ||
username = trusted.fqn("administrator") | ||
external = ipa.group("external-group").add(external=True).add_member(username) | ||
ipa.group("posix-group").add(gid=5001).add_member(external) | ||
|
||
ipa.sssd.clear(db=True, memcache=True, logs=True) | ||
ipa.sssd.restart() | ||
|
||
# Cache trusted user | ||
result = ipa.tools.id(username) | ||
assert result is not None | ||
assert result.user.name == username | ||
assert result.memberof("posix-group") | ||
|
||
# Expire the user and resolve it again, this will trigger the affected code path | ||
ipa.sssctl.cache_expire(user=username) | ||
result = ipa.tools.id(username) | ||
assert result is not None | ||
assert result.user.name == username | ||
assert result.memberof("posix-group") | ||
|
||
# Check that SSSD did not go offline | ||
result = ipa.sssctl.domain_status(trusted.domain, online=True) | ||
assert "online status: offline" not in result.stdout.lower() | ||
assert "online status: online" in result.stdout.lower() |