Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1227804
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Created attachment 1034339 sssd.conf used for the reproducer Description of problem: When group info is retrieved from an LDAP source using a rfc2307bis schema, its members are added as ghosts. These ghosts entries are turned into members when full user info is retrieved. However if the user info is purged from the cache, its also removed as a member from the group and not turned back into a ghost entry. Version-Release number of selected component (if applicable): sssd-1.12.4-31.el6.x86_64 (RHEL6.7 beta) How reproducible: Always. Steps to Reproduce: 1. Setup IPA server - Add users and a group # ipa user-add user1001 --first=User --last=1001 # ipa user-add user1001 --first=User --last=1001 # ipa group-add group100 # ipa group-add-member group100 --users=user1001,user1002 2. Set up a standalone client (non-IPA, RHEL6.6) with sssd-1.11 - manual configure sssd with LDAP providers pointing to IPA and rfc2307bis schema - configure in the domain section in sssd.conf ~~~ entry_cache_timeout = 60 entry_cache_group_timeout = 5000 ldap_purge_cache_timeout = 60 ~~~ - enable sss as a provider in /etc/nssswitch.conf - Clean db and restart SSSD # service sssd stop; rm -f /var/lib/sss/db/* ; service sssd start 3. Get group and user info - Make sure to bypass MEMCACHE # export SSS_NSS_USE_MEMCACHE=no - Get basic group info of group100 and check the cache # getent group group100 group100:*:905000103:user1001,user1002 # ldbsearch -H /var/lib/sss/db/cache_ldap.ldb name=group100 ghost originalDN orig_member member memberuid dn: name=group100,cn=groups,cn=ldap,cn=sysdb originalDN: cn=group100,cn=groups,cn=accounts,dc=local,dc=redhat,dc=com orig_member: uid=user1001,cn=users,cn=accounts,dc=local,dc=redhat,dc=com orig_member: uid=user1002,cn=users,cn=accounts,dc=local,dc=redhat,dc=com ghost: user1001 ghost: user1002 - Get user info for user1001 and watch the ghost entry change to member on the group # id -a user1001 uid=905000003(user1001) gid=905000003(user1001) groups=905000003(user1001),905000103(group100) # ldbsearch -H /var/lib/sss/db/cache_ldap.ldb name=group100 ghost originalDN orig_member member memberuid dn: name=group100,cn=groups,cn=ldap,cn=sysdb originalDN: cn=group100,cn=groups,cn=accounts,dc=local,dc=redhat,dc=com orig_member: uid=user1001,cn=users,cn=accounts,dc=local,dc=redhat,dc=com orig_member: uid=user1002,cn=users,cn=accounts,dc=local,dc=redhat,dc=com ghost: user1002 <<<<<<< member: name=user1001,cn=users,cn=ldap,cn=sysdb <<<<<<< memberuid: user1001 <<<<<<< - Wait for user1001 entry to expire and purged from cache # sleep 120 Actual results: - Check group info and notice the member entry is gone and no ghost entry exists for user1001 # ldbsearch -H /var/lib/sss/db/cache_ldap.ldb name=group100 ghost originalDN orig_member member memberuid dn: name=group100,cn=groups,cn=ldap,cn=sysdb originalDN: cn=group100,cn=groups,cn=accounts,dc=local,dc=redhat,dc=com orig_member: uid=user1001,cn=users,cn=accounts,dc=local,dc=redhat,dc=com orig_member: uid=user1002,cn=users,cn=accounts,dc=local,dc=redhat,dc=com ghost: user1002 # getent group group100 group100:*:905000103:user1002 Expected results: The user1001 added back as a ghost entry so a 'getent group group100' return correct group membership. Additional info: I Tested this initially on 6.6 and moved to 6.7 beta to be sure. This issue also appears on 7.1 (also sssd-1.12). Attached the sssd.conf used in this test.
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 milestone: NEEDS_TRIAGE => SSSD 1.13 review: True => 0 selected: => testsupdated: => 0
This ticket has a downstream BZ link, bumping priority
priority: major => critical
owner: somebody => mzidek
patch: 0 => 1
Patch was submitted, should be included in 1.13.1
milestone: SSSD 1.13.2 => SSSD 1.13.1
master: - 60713f7 - 95b2c51 - 4d8f0f9 - b0d6d14 - 3b1aa47
resolution: => fixed status: new => closed
sssd-1-12:
Metadata Update from @jhrozek: - Issue assigned to mzidek - Issue set to the milestone: SSSD 1.13.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3717
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.