[autobackport: sssd-2-9] Dont store gid 0 for non-posix groups

[sssd-bot]

This is an automatic backport of PR#8075 Dont store gid 0 for non-posix groups to branch sssd-2-9, created by @justin-stephenson.

Please make sure this backport is correct.

Note

The commits were cherry-picked without conflicts.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8075-to-sssd-2-9
git checkout SSSD-sssd-backport-pr8075-to-sssd-2-9
git push sssd-bot SSSD-sssd-backport-pr8075-to-sssd-2-9

---

Original commits

• 936dbfb - SYSDB: Add sysdb_add_bool()
• dc9188b - SYSDB: Dont store gid 0 for non-posix groups
• d953045 - SDAP: Remove sdap_store_group_with_gid()

Backported commits

• dc2e805 - SYSDB: Add sysdb_add_bool()
• 03e7751 - SYSDB: Dont store gid 0 for non-posix groups
• 25de302 - SDAP: Remove sdap_store_group_with_gid()

---

Original Pull Request Body

[gemini-code-assist]

Code Review

This pull request aims to prevent storing a GID of 0 for non-POSIX groups. The changes involve modifying sysdb_add_basic_group to conditionally store the gidNumber and updating its callers. While the changes for groups seem correct, I've found a couple of issues related to user handling that seem to have been introduced as part of this refactoring. One issue may lead to users being created without a posix attribute, and another relates to an inconsistent handling of gidNumber for non-POSIX users compared to non-POSIX groups.

[alexey-tikhonov]

@sumit-bose, do you want to take a look?

[alexey-tikhonov]

@justin-stephenson, this backport failed test_access_control_simple__permits_user_login_based_on_group-samba several times in a row.
All system tests were green in the original PR, but it didn't run on C9S.
Test fails on SSS_PAM_ACCT_MGMT:

[dp_pam_handler_send] (0x0100): Got request with the following data
[pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
[pam_print_data] (0x0100): domain: test
[pam_print_data] (0x0100): user: user1@test
[pam_print_data] (0x0100): service: sshd
[pam_print_data] (0x0100): tty: ssh
[pam_print_data] (0x0100): ruser: 
[pam_print_data] (0x0100): rhost: ::1
[pam_print_data] (0x0100): authtok type: 0 (No authentication token available)
[pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
[pam_print_data] (0x0100): priv: 1
[pam_print_data] (0x0100): cli_pid: 1008481
[pam_print_data] (0x0100): child_pid: 0
[pam_print_data] (0x0100): logon name: not set
[pam_print_data] (0x0100): flags: 0
[dp_attach_req] (0x0400): [RID#12] DP Request [PAM Account #12]: REQ_TRACE: New request. [sssd.pam CID #2] Flags [0000].
[dp_attach_req] (0x0400): [RID#12] Number of active DP request: 1
[sss_domain_get_state] (0x2000): [RID#12] Domain test is Active
[sss_domain_get_state] (0x2000): [RID#12] Domain test is Active
[simple_access_obtain_filter_lists] (0x0200): [RID#12] Allow users list is empty.
[simple_access_obtain_filter_lists] (0x0200): [RID#12] Deny users list is empty.
[sss_parse_name] (0x0200): [RID#12] Domain not provided!
[sss_parse_name] (0x0200): [RID#12] Domain not provided!
[simple_access_check_send] (0x0200): [RID#12] Simple access check for user1@test
[simple_check_get_groups_send] (0x1000): [RID#12] Looking up groups for user user1@test
[sss_domain_get_state] (0x2000): [RID#12] Domain test is Active
[simple_check_get_groups_send] (0x0400): [RID#12] User user1@test is a member of 2 supplemental groups
[simple_check_process_group] (0x2000): [RID#12] Adding group S-1-5-21-1203729467-969503546-995321174-513@test
[simple_check_process_group] (0x2000): [RID#12] Adding group S-1-5-21-1203729467-969503546-995321174-1108@test
[simple_check_process_group] (0x2000): [RID#12] Adding group S-1-5-21-1203729467-969503546-995321174-513@test
[simple_check_get_groups_send] (0x0400): [RID#12] All groups had name attribute
[simple_check_groups] (0x4000): [RID#12] Checking against allow list group name [group1@test].
[sss_domain_get_state] (0x2000): [RID#12] Domain test is Active
[simple_check_groups] (0x4000): [RID#12] Checking against deny list group name [group2@test].
[sss_domain_get_state] (0x2000): [RID#12] Domain test is Active
[simple_access_check_done] (0x2000): [RID#12] Group check done
[simple_access_check_recv] (0x1000): [RID#12] Access not granted

Could you please take a look?
Perhaps something else needs backporting to sssd-2-9...

[justin-stephenson]

Could you please take a look? Perhaps something else needs backporting to sssd-2-9...

This test seems to be passing now? I tried re-running also and it was still green.

tests/test_access_control_simple.py::test_access_control_simple__permits_user_login_based_on_group (samba) PASSED [ 70%]

[alexey-tikhonov]

This test seems to be passing now?

Even without topology markers backported?

[justin-stephenson]

This test seems to be passing now?

Even without topology markers backported?

Correct, no idea what changed. Let me try to re-run a couple more times.

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeQL (success)
🟢 rpm-build:centos-stream-9-x86_64:upstream (success)
🟢 Analyze (target) / All tests are successful (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / make-distcheck (success)
🔴 ci / All tests are successful (failure)
🟢 ci / prepare (success)
🔴 ci / system (centos-9) (failure)
🟢 Static code analysis / All tests are successful (success)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

[alexey-tikhonov]

This test seems to be passing now?

Even without topology markers backported?

Correct, no idea what changed. Let me try to re-run a couple more times.

Looks to be fine now.