#2420 lost name of primary group
Closed: Invalid None Opened 5 years ago by shaba.

Usually, after 2-3 day normal worked sssd, i have problems with lost name of primary GID. Not resolved.[[BR]]

For example, i can see on stdout for create files by rpm:[[BR]]

error: Bad owner/group: foo-fullfilename

$id
uid=1174218436(shabalin) gid=1174200513 groups=1174200513,4(adm),10(wheel).....

after 
# systemctl stop sssd
# rm -f /var/lib/sss/db/*
# systemctl start sssd

$id
uid=1174218436(shabalin) gid=1174200513(domain users) groups=1174200513(domain users),4(adm),10(wheel)....

sssd_nss.log:

(Thu Aug 28 17:43:48 2014) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Thu Aug 28 17:43:48 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Aug 28 17:43:48 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Aug 28 17:43:48 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [1174218436].
(Thu Aug 28 17:43:48 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Requesting info for [1174218436@avp.ru]
(Thu Aug 28 17:43:48 2014) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
(Thu Aug 28 17:43:48 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0400): Returning info for uid [1174218436@avp.ru]
(Thu Aug 28 17:43:48 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [1174218436]
(Thu Aug 28 17:43:49 2014) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1174200513].
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1174200513@avp.ru]
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/1174200513] to negative cache
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1174200513]
(Thu Aug 28 17:43:54 2014) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

I'm sorry about the trouble. We fixed a couple of related bugs recently, is it possible for you to test with a git snapshot?

We'd like to release 1.12.1 that contains these fixes soon (next week probably).

ok, i will test git snapshot.

Hi, any news? Does the use case work for you with git snapshot?

Sorry, i think my problems was not renew krb tiket. I use gnome3.
3 day with sssd from snapshot work fine.

Oh, not fine.
krb tiket valid:
$date
Thu Sep 4 16:24:43 MSK 2014

$ klist
Ticket cache: FILE:/tmp/krb5cc_1174218436_SUIykr
Default principal: Shabalin@DOMAIN.RU

Valid starting Expires Service principal
04.09.2014 15:37:18 05.09.2014 01:37:18 krbtgt/DOMAIN.RU@DOMAIN.RU
renew until 05.09.2014 15:37:18

$id
uid=1174218436(shabalin) gid=1174200513 groups=1174200513,4(adm),10(wheel),.....

i don't see "domain users"

Can you please attach logs, both from the NSS responder and the domain section?

(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [1174218436].
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Requesting info for [1174218436@avp.ru]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [check_cache] (0x0400): Performing midpoint cache update on [(null)]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x419d40:1:1174218436@avp.ru]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [avp.ru][4097][1][idnumber=1174218436]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x419d40:1:1174218436@avp.ru]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [check_cache] (0x0400): Updating cache out-of-band
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0400): Returning info for uid [1174218436@avp.ru]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [1174218436]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1174200513].
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1174200513@avp.ru]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/1174200513] to negative cache
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1174200513]
(Thu Sep  4 20:48:01 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1174200513].
(Thu Sep  4 20:49:48 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1174200513].
(Thu Sep  4 20:49:48 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1174200513@avp.ru]
(Thu Sep  4 20:49:48 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
(Thu Sep  4 20:49:48 2014) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/1174200513] to negative cache
(Thu Sep  4 20:49:48 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1174200513]
(Thu Sep  4 20:49:48 2014) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [18] with id [1174218436].
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0100): Requesting info for [1174218436@avp.ru]
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0400): Returning info for uid [1174218436@avp.ru]
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0080): No matching domain found for [1174218436]
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Sep  4 20:50:27 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Sep  4 20:50:38 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [shabalin].
(Thu Sep  4 20:50:38 2014) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'shabalin' matched without domain, user is shabalin
(Thu Sep  4 20:50:38 2014) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [avp.ru]
(Thu Sep  4 20:50:38 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [shabalin] from [avp.ru]
(Thu Sep  4 20:50:38 2014) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [shabalin@avp.ru]
(Thu Sep  4 20:50:38 2014) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
(Thu Sep  4 20:50:38 2014) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): Initgroups for [shabalin@avp.ru] completed
(Thu Sep  4 20:50:38 2014) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

(Thu Sep  4 20:50:50 2014) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1174200513].
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1174200513@avp.ru]
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/1174200513] to negative cache
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1174200513]
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1174200513].
(Thu Sep  4 20:50:50 2014) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Gid [1174200513] does not exist! (negative cache)

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.2

We need to do a release as requested by downstream. Moving tickets that are not fixed already or very close to acking to 1.12.3

milestone: SSSD 1.12.2 => SSSD 1.12.3

I could reproduce a similar bug with id_provider=ldap, but we need to clean up the 1.12.3 milestone first.

mark: => 0
milestone: SSSD 1.12.3 => SSSD 1.12.4

Moving tickets that didn't make the 1.12.4 release to 1.12.5

milestone: SSSD 1.12.4 => SSSD 1.12.5

build from branch upstream/sssd-1-12 bdb7e7f
work fine about one week.

Awesome, thanks for the patience. Closing.

resolution: => worksforme
status: new => closed

after one week, i have some error now.
For example:

$ LANG=C gear-rpm -bs --nodeps 
error: Bad owner/group: /tmp/.private/shabalin/gear.IlfUT7yP/out/gnulib-libvirt-1.2.15.tar





$ LANG=C id
uid=1174218436(shabalin) gid=1174200513 groups=1174200513,4(adm)........

gid= don't resolved group name, must be:

$ LANG=C id
uid=1174218436(shabalin) gid=1174200513(domain users) groups=1174200513(domain users),4(adm).....

in /var/log/sssd/sssd_nss.log:

(Tue May  5 13:57:14 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
(Tue May  5 13:58:31 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
(Tue May  5 13:58:31 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!
(Tue May  5 14:52:35 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!

resolution: worksforme =>
status: closed => reopened

I think log file is clear.
You have more users in cache with the same gid.

Could you try to use utility ldbsearch and identify problematic groups?

cc: => lslebodn@redhat.com

ldbsearch show me 2 records with same gid:

record 97

dn: name=Shabalin,cn=users,cn=example.com,cn=sysdb
createTimestamp: 1430827442
fullName: Alexey Shabalin
gecos: Alexey Shabalin
gidNumber: 1174200513
name: Shabalin
objectClass: user
uidNumber: 1174218436
objectSIDString: S-1-5-21-1430328663-2098613005-1233803906-18436
uniqueID: 1c9705c1-9480-422d-8463-c302a1c498f4
originalDN: CN=Alexey Shabalin,OU=Users,OU=Russia,DC=example,DC=com
userPrincipalName: Shabalin@EXAMPLE.COM
adUserAccountControl: 512
nameAlias: shabalin
ccacheFile: KEYRING:persistent:1174218436
originalMemberOf: many-many groups
.........
memberof: name= many-many groups
.........
distinguishedName: name=Shabalin,cn=users,cn=example.com,cn=sysdb

record 521

dn: name=S-1-5-21-1430328663-2098613005-1233803906-513,cn=groups,cn=example.com,cn=sysdb
createTimestamp: 1430834959
gidNumber: 1174200513
name: S-1-5-21-1430328663-2098613005-1233803906-513
objectClass: group
lastUpdate: 1430834959
dataExpireTimestamp: 1430834958
isPosix: FALSE
objectSIDString: S-1-5-21-1430328663-2098613005-1233803906-513
member: name=Shabalin,cn=users,cn=example.com,cn=sysdb
memberuid: Shabalin
distinguishedName: name=S-1-5-21-1430328663-2098613005-1233803906-513,cn=group
 s,cn=example.com,cn=sysdb

Replying to [comment:17 shaba]:

ldbsearch show me 2 records with same gid:

record 97

{{{
dn: name=Shabalin,cn=users,cn=example.com,cn=sysdb
gidNumber: 1174200513
objectClass: user
uidNumber: 1174218436
.........
}}}

record 521

{{{
dn: name=S-1-5-21-1430328663-2098613005-1233803906-513,cn=groups,cn=example.com,cn=sysdb
gidNumber: 1174200513
objectClass: group
...
}}}

One record was user and another group.
It would be good to see dump of cache immediately after problem.

Do you have simple reproducer? Some permutation of "id user$i" ...

ldb-good.txt:

# record 95
dn: name=Shabalin,cn=users,cn=avp.ru,cn=sysdb
createTimestamp: 1433158531
fullName: Alexey Shabalin
gecos: Alexey Shabalin
gidNumber: 1174200513
name: Shabalin
objectClass: user
uidNumber: 1174218436
objectSIDString: S-1-5-21-1430328663-2098613005-1233803906-18436
uniqueID: 1c9705c1-9480-422d-8463-c302a1c498f4
originalDN: CN=Alexey Shabalin,OU=Users,OU=Russia,DC=avp,DC=ru
originalMemberOf: CN=ripencc,OU=Groups,OU=Russia,DC=avp,DC=ru
-----skip----
a lot of originalMemberOf: groups
-----skip----
originalModifyTimestamp: 20150526011627.0Z
entryUSN: 3322965074
userPrincipalName: Shabalin@AVP.RU
adUserAccountControl: 512
nameAlias: shabalin
initgrExpireTimestamp: 1433163932
lastUpdate: 1433158532
dataExpireTimestamp: 1433163932
memberof: name=Domain Users,cn=groups,cn=avp.ru,cn=sysdb
-----skip----
a lot of memberof: groups
-----skip----
distinguishedName: name=Shabalin,cn=users,cn=avp.ru,cn=sysdb

ldb-error.txt:

 record 94
dn: name=Shabalin,cn=users,cn=avp.ru,cn=sysdb
createTimestamp: 1432920917
fullName: Alexey Shabalin
gecos: Alexey Shabalin
gidNumber: 1174200513
name: Shabalin
objectClass: user
uidNumber: 1174218436
objectSIDString: S-1-5-21-1430328663-2098613005-1233803906-18436
uniqueID: 1c9705c1-9480-422d-8463-c302a1c498f4
originalDN: CN=Alexey Shabalin,OU=Users,OU=Russia,DC=avp,DC=ru
userPrincipalName: Shabalin@AVP.RU
adUserAccountControl: 512
nameAlias: shabalin
ccacheFile: KEYRING:persistent:1174218436
failedLoginAttempts: 0
originalMemberOf: CN=ripencc,OU=Groups,OU=Russia,DC=avp,DC=ru
-----skip----
a lot of originalMemberOf: groups
-----skip----
originalModifyTimestamp: 20150526011627.0Z
entryUSN: 3322965074
initgrExpireTimestamp: 1433162961
lastUpdate: 1433157561
dataExpireTimestamp: 1433162961
cachedPassword: $6$mlsp1oUTE6UM6jSq$oBsk5VX0OSH0ECWXh/7cFmLSDVULvuyXapJNeOfDGR
 V8RFWfKlotOGwqXZGfwzSDWmsIDVdm4M0zW6OnnoEy.
lastCachedPasswordChange: 1433157562
lastOnlineAuth: 1433157562
lastLogin: 1433157562
memberof: name=S-1-5-21-1430328663-2098613005-1233803906-18649,cn=groups,cn=av
 p.ru,cn=sysdb
memberof: name=S-1-5-21-1430328663-2098613005-1233803906-513,cn=groups,cn=avp.
 ru,cn=sysdb
memberof: name=Domain Users,cn=groups,cn=avp.ru,cn=sysdb
-----skip----
a lot of memberof: groups
-----skip----
distinguishedName: name=Shabalin,cn=users,cn=avp.ru,cn=sysdb

_comment0: ldb-good.txt:
{{{

record 95

dn: name=Shabalin,cn=users,cn=avp.ru,cn=sysdb
createTimestamp: 1433158531
fullName: Alexey Shabalin
gecos: Alexey Shabalin
gidNumber: 1174200513
name: Shabalin
objectClass: user
uidNumber: 1174218436
objectSIDString: S-1-5-21-1430328663-2098613005-1233803906-18436
uniqueID: 1c9705c1-9480-422d-8463-c302a1c498f4
originalDN: CN=Alexey Shabalin,OU=Users,OU=Russia,DC=avp,DC=ru
originalMemberOf: CN=ripencc,OU=Groups,OU=Russia,DC=avp,DC=ru
-----skip----
a lot of originalMemberOf: groups
-----skip----
originalModifyTimestamp: 20150526011627.0Z
entryUSN: 3322965074
userPrincipalName: Shabalin@AVP.RU
adUserAccountControl: 512
nameAlias: shabalin
initgrExpireTimestamp: 1433163932
lastUpdate: 1433158532
dataExpireTimestamp: 1433163932
memberof: name=Domain Users,cn=groups,cn=avp.ru,cn=sysdb
-----skip----
a lot of memberof: groups
-----skip----
distinguishedName: name=Shabalin,cn=users,cn=avp.ru,cn=sysdb

}}}

ldb-error.txt:

{{{
record 94
dn: name=Shabalin,cn=users,cn=avp.ru,cn=sysdb
createTimestamp: 1432920917
fullName: Alexey Shabalin
gecos: Alexey Shabalin
gidNumber: 1174200513
name: Shabalin
objectClass: user
uidNumber: 1174218436
objectSIDString: S-1-5-21-1430328663-2098613005-1233803906-18436
uniqueID: 1c9705c1-9480-422d-8463-c302a1c498f4
originalDN: CN=Alexey Shabalin,OU=Users,OU=Russia,DC=avp,DC=ru
userPrincipalName: Shabalin@AVP.RU
adUserAccountControl: 512
nameAlias: shabalin
ccacheFile: KEYRING:persistent:1174218436
failedLoginAttempts: 0
originalMemberOf: CN=ripencc,OU=Groups,OU=Russia,DC=avp,DC=ru
-----skip----
a lot of originalMemberOf: groups
-----skip----
originalModifyTimestamp: 20150526011627.0Z
entryUSN: 3322965074
initgrExpireTimestamp: 1433162961
lastUpdate: 1433157561
dataExpireTimestamp: 1433162961
cachedPassword: $6$mlsp1oUTE6UM6jSq$oBsk5VX0OSH0ECWXh/7cFmLSDVULvuyXapJNeOfDGR
V8RFWfKlotOGQnPXZGfwzSDWmsIDVdm4M0zW6OnnoEy.
lastCachedPasswordChange: 1433157562
lastOnlineAuth: 1433157562
lastLogin: 1433157562
memberof: name=S-1-5-21-1430328663-2098613005-1233803906-18649,cn=groups,cn=av
p.ru,cn=sysdb
memberof: name=S-1-5-21-1430328663-2098613005-1233803906-513,cn=groups,cn=avp.
ru,cn=sysdb
memberof: name=Domain Users,cn=groups,cn=avp.ru,cn=sysdb
-----skip----
a lot of memberof: groups
-----skip----
distinguishedName: name=Shabalin,cn=users,cn=avp.ru,cn=sysdb
}}}

=> 1433245839316879

If you have the same problem as in comment 15,
then it is not enough to share just dump of user from sssd cache, because there seems to be two groups with the same gtoup id(GID).

Feel free to send me all log files and full dump of sssd cache.

Fields changed

rhbz: => todo

The requested data (log files and dump of cache) was not provided for more than 8 months.

I will close this ticket as insufficient data.
Feel free to reopen or create new ticket if it does not work with the latest sssd (sssd-1.13.3 ATM)

resolution: => worksforme
sensitive: => 0
status: reopened => closed

Fields changed

rhbz: todo => 0

Metadata Update from @shaba:
- Issue set to the milestone: SSSD 1.12.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3462

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata