SSSD / sssd

Clone

#2676 Group members are not turned into ghost entries when the user is purged from the SSSD cache
Closed: Fixed None Opened 8 years ago by jhrozek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1227804

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Created attachment 1034339
sssd.conf used for the reproducer

Description of problem:
When group info is retrieved from an LDAP source using a rfc2307bis
schema, its members are added as ghosts.
These ghosts entries are turned into members when full user info is
retrieved. However if the user info is purged from the cache, its also
removed as a member from the group and not turned back into a ghost
entry.

Version-Release number of selected component (if applicable):
sssd-1.12.4-31.el6.x86_64 (RHEL6.7 beta)


How reproducible:
Always.


Steps to Reproduce:
1. Setup IPA server
- Add users and a group
  # ipa user-add user1001 --first=User --last=1001
  # ipa user-add user1001 --first=User --last=1001
  # ipa group-add group100
  # ipa group-add-member group100 --users=user1001,user1002

2. Set up a standalone client (non-IPA, RHEL6.6) with sssd-1.11
- manual configure sssd with LDAP providers pointing to IPA and rfc2307bis
  schema
- configure in the domain section in sssd.conf
  ~~~
  entry_cache_timeout = 60
  entry_cache_group_timeout = 5000
  ldap_purge_cache_timeout = 60
  ~~~
- enable sss as a provider in /etc/nssswitch.conf
- Clean db and restart SSSD
  # service sssd stop; rm -f /var/lib/sss/db/* ; service sssd start

3. Get group and user info
- Make sure to bypass MEMCACHE
  # export SSS_NSS_USE_MEMCACHE=no
- Get basic group info of group100 and check the cache
  # getent group group100
  group100:*:905000103:user1001,user1002

  # ldbsearch -H /var/lib/sss/db/cache_ldap.ldb name=group100 ghost originalDN
orig_member member memberuid
  dn: name=group100,cn=groups,cn=ldap,cn=sysdb
  originalDN: cn=group100,cn=groups,cn=accounts,dc=local,dc=redhat,dc=com
  orig_member: uid=user1001,cn=users,cn=accounts,dc=local,dc=redhat,dc=com
  orig_member: uid=user1002,cn=users,cn=accounts,dc=local,dc=redhat,dc=com
  ghost: user1001
  ghost: user1002

- Get user info for user1001 and watch the ghost entry change to member on the
group
  # id -a user1001
  uid=905000003(user1001) gid=905000003(user1001)
groups=905000003(user1001),905000103(group100)

  # ldbsearch -H /var/lib/sss/db/cache_ldap.ldb name=group100 ghost originalDN
orig_member member memberuid
  dn: name=group100,cn=groups,cn=ldap,cn=sysdb
  originalDN: cn=group100,cn=groups,cn=accounts,dc=local,dc=redhat,dc=com
  orig_member: uid=user1001,cn=users,cn=accounts,dc=local,dc=redhat,dc=com
  orig_member: uid=user1002,cn=users,cn=accounts,dc=local,dc=redhat,dc=com
  ghost: user1002                                      <<<<<<<
  member: name=user1001,cn=users,cn=ldap,cn=sysdb      <<<<<<<
  memberuid: user1001                                  <<<<<<<

- Wait for user1001 entry to expire and purged from cache
  # sleep 120


Actual results:
- Check group info and notice the member entry is gone and no ghost
  entry exists for user1001
  # ldbsearch -H /var/lib/sss/db/cache_ldap.ldb name=group100 ghost originalDN
orig_member member memberuid
  dn: name=group100,cn=groups,cn=ldap,cn=sysdb
  originalDN: cn=group100,cn=groups,cn=accounts,dc=local,dc=redhat,dc=com
  orig_member: uid=user1001,cn=users,cn=accounts,dc=local,dc=redhat,dc=com
  orig_member: uid=user1002,cn=users,cn=accounts,dc=local,dc=redhat,dc=com
  ghost: user1002

  # getent group group100
  group100:*:905000103:user1002


Expected results:
The user1001 added back as a ghost entry so a 'getent group group100'
return correct group membership.


Additional info:
I Tested this initially on 6.6 and moved to 6.7 beta to be sure. This
issue also appears on 7.1 (also sssd-1.12).
Attached the sssd.conf used in this test.

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
milestone: NEEDS_TRIAGE => SSSD 1.13
review: True => 0
selected: =>
testsupdated: => 0

This ticket has a downstream BZ link, bumping priority

priority: major => critical

Fields changed

owner: somebody => mzidek

Fields changed

patch: 0 => 1

Patch was submitted, should be included in 1.13.1

milestone: SSSD 1.13.2 => SSSD 1.13.1

master:
- 60713f7
- 95b2c51
- 4d8f0f9
- b0d6d14
- 3b1aa47

resolution: => fixed
status: new => closed

sssd-1-12:

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.13.1
7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3717

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
critical
defect
SSSD
None
None
0
1
https://bugzilla.redhat.com/show_bug.cgi?id=1227804
0
0
None
None
None
0
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.