URL: https://github.com/SSSD/sssd/pull/13
Title: #13: MEMBEROF: Don't resolve members if they are removed

celestian commented:
"""
Hello,
I pushed new version with tests.

Thanks @sumit-bose with help with the second patch. By the way is there better 
way how to write co-authors? Please tell me.

This patch works for ipa provider, not for ldap provider. (For ldap provider we 
have https://fedorahosted.org/sssd/ticket/3186)

Reproducer:
```bash
# !/bin/bash

# prepare
ipa user-add --first=Adam --last=Adam --email=a...@persei.cz adam
ipa group-add group_1
ipa group-add-member --users=adam group_1
ipa group-add group_2

# reproducer

systemctl daemon-reload
sudo su -c "truncate -s0 /var/log/sssd/*.log"
sudo su -c "rm -f /var/lib/sss/db/*" 
sudo su -c "rm -f /var/lib/sss/mc/*"
sudo systemctl restart sssd.service

ipa group-add-member --groups=group_1 group_2
sss_cache -UG
sudo su -c "truncate -s0 /var/log/sssd/*.log"
getent group group_2

ipa group-remove-member --groups=group_1 group_2
sss_cache -UG
sudo su -c "truncate -s0 /var/log/sssd/*.log"
getent group group_2

# clean

ipa group-del group_2
ipa group_del group_1
ipa user-del adam
```
Configuration:
```bash
# cat /etc/sssd/sssd.conf 

[domain/ipa.beta]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = beta
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mirach.beta
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, algol.beta
dyndns_iface = ens3
ldap_tls_cacert = /etc/ipa/ca.crt
entry_cache_timeout = 30
debug_level = 0xFFFF0

[sssd]
services = nss, sudo, pam, ssh
domains = ipa.beta
debug_level = 0xFFFFFF0

[nss]
homedir_substring = /home
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/13#issuecomment-248002682
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to