Removing an IPA sub-group remove the members from indirect parent that also belong to other subgroups

Solution Verified - Updated -

Issue

In IPA, there are 3 groups: child1 and child2 are subgroups of parent, like the following:

parent
  |
  +- child1   (user1)
  |
  +- child2   (user1)

user1 is an username, it belongs to both group child1 and child2. user1 should also belong to parent.

    # getent group parent
    parent:*:12345:user1

    # id user1
    uid=1234(user1), gid=xxxx(user1), groups=xxxx(user1),xxxx(child1),xxxx(child2),xxxx(parent)

The result of id command and getent command which are obtained from sssd cache show that user1 is no longer belong to parent.
On the other hand, the result of ipa command which is obtained from IdM shows that user1 is belong to parent because IdM DB has the correct relationship of user1.

    # id user1
    uid=1234(user1), gid=xxxx(user1), groups=xxxx(user1),xxxx(child1),xxxx(child2),xxxx(parent)

    # getent group parent
    parent:*:12345:user1

Remove child1 from parent.

    # ipa group-remove-member parent --groups=child1
      Group name: parent
      GID: 12345
      Member groups: child2
      Indirect Member users: user1
    ---------------------------
    Number of members removed 1
    ---------------------------

id command and getent command show that user1 is no longer belong to parent.

    # id user1
    uid=1234(user1), gid=xxxx(user1), groups=xxxx(user1),xxxx(child1),xxxx(child2)

    # getent group parent
    parent:*:12345:

ipa command shows that user1 is belong to parent.

    # ipa group-show parent
      Group name: parent
      GID: 12345
      Member groups: child2
      Indirect Member users: user1

    # ipa group-show child1
      Group name: child1
      GID: xxxx
      Member users: user1

    # ipa group-show child2
      Group name: child2
      GID: xxxx
      Member users: user1
      Member of groups: parent

Environment

  • Red Hat Enterprise Linux 7
  • prior to sssd-1.16.4-37.el7_8.3

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content