#2899 [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected.
Closed: Fixed None Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1290853

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:


In an IPA to AD trust environment, the AD trusted users stay in SSSD cache for
much longer than expected. Actually, they stay in cache for a fixed amount of
10 hours while the IPA users for 5400 seconds (by default). The cache
expiration options do not affect the trusted users as well.

In fact, we can see:

In src/providers/ipa/ipa_s2n_exop.c:
---
static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
                                    struct req_input *req_input,
                                    struct resp_attrs *attrs,
                                    struct resp_attrs *simple_attrs,
                                    const char *view_name,
                                    struct sysdb_attrs *override_attrs,
                                    bool update_initgr_timeout)
{
    int ret;
    time_t now;
    uint64_t timeout = 10*60*60; /* FIXME: find a better timeout ! */
---

That I believe is causing this issue.

I think we have a long-term and a short-term solution.. For short-term we can extend the subdomain_inherit option. But what would be better and a long-term solution would be to code up the INI parser so that we can also define configuration for the subdomain.

blockedby: =>
blocking: =>
cc: => mzidek
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0

Replying to [comment:1 jhrozek]:

long-term solution would be to code up the INI parser so that we can also define configuration for the subdomain.

What does this mean?

Replying to [comment:2 dpal]:

Replying to [comment:1 jhrozek]:

long-term solution would be to code up the INI parser so that we can also define configuration for the subdomain.

What does this mean?

So I'm not sure if INI already has all the smarts, but we're not using them or if INI is still missing some features. But what i was aiming for was:

[domain/ipa.example.com]
id_provider=ipa

[domain/ipa.example.com/ad.example.com]
entry_cache_timeout = 123

(Or even better, with a drop-in file)

Fields changed

priority: major => minor

Michal, is this something you planned on doing in scope of your 1.14 changes?

Fields changed

owner: somebody => sbose
status: new => assigned

The time options are handled a bit differently than other options and are store in the domain object and not together with the other backend specific options. Luckily the domain object of the configured domain, which has the timeout values as configured in sssd.conf, is copied and only the sub-domain specific attributes like name and SID are replaced and all other values, including the timeouts are kept. So they are inherited automatically which is what we want here.

Only if there is a request to allow different timeouts for the different domains we have to think about extending the configuration scheme. Currently I think we are fine.

Fields changed

patch: 0 => 1

We can decide about other releases during our weekly triage.

also pushed to
sssd-1-13:

milestone: NEEDS_TRIAGE => SSSD 1.13.4
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.4

2 years ago

Login to comment on this ticket.

Metadata