ipa s2n: do not try to update user-private-group

[sumit-bose]

When an IPA client requests the details about a trusted user from the
IPA server including its memberships the server will return the name of
all groups including the user-private-group. Since this group is not a
cached object on its own it is not needed to try to update it as a group
but it will be updated when the user object is updated.

This has to be taken into account especially after a client is assigned
to a new id-view because now the SYSDB_OVERRIDE_DN attribute is required
and all cached objects which are missing it must be updated. If the
user-private-group was found for update it should be skipped because the
calls to update group objects in the cache cannot handle
user-private-groups. This is expected behavior as user-private-groups
are not objects on their own.

[alexey-tikhonov]

Is this related to https://issues.redhat.com/browse/RHEL-94545 ?

[alexey-tikhonov]

@sumit-bose, is there a related ticket?
I guess this needs a backport to sssd-2-9 as well?

[sumit-bose]

@sumit-bose, is there a related ticket? I guess this needs a backport to sssd-2-9 as well?

Yes, this issue is present in sssd-2-9.

[aplopez]

Failing tests seem to be failing on every PR.

[aplopez]

LGTM

[alexey-tikhonov]

/gemini review

[gemini-code-assist]

Code Review

This pull request addresses an issue where SSSD would fail to resolve a trusted user after a view change if the user has a user-private-group. The root cause is that SSSD was incorrectly trying to update the user-private-group as a regular group object, which is not supported. The fix is to check the object's category and only attempt to update real group objects, skipping user-private-groups. The change is implemented correctly in ipa_s2n_exop.c by fetching and checking the SYSDB_OBJECTCATEGORY attribute before adding a group to the list of objects to be updated. A new system test is also added in test_ipa_trusts.py which accurately reproduces the scenario and validates the fix. The changes look good and address the issue effectively.

[alexey-tikhonov]

Note: Covscan is green.

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeFactor (success)
🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🔴 ci / system (fedora-44) (failure)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.