#3164 when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent
Closed: Fixed 3 years ago Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1371538

Description of problem:

When a group/users are invalidated from sss cache, the group/user information
in Domain (cache_LDAP.ldb) and  timestamps cache are inconsistent with regard
to dataExpireTimestamp attribute.

Version-Release number of selected component (if applicable):

sssd-client-1.14.0-30.el7.x86_64
sssd-dbus-1.14.0-30.el7.x86_64
python-sssdconfig-1.14.0-30.el7.noarch
sssd-ipa-1.14.0-30.el7.x86_64
sssd-tools-1.14.0-30.el7.x86_64
sssd-krb5-common-1.14.0-30.el7.x86_64
sssd-krb5-1.14.0-30.el7.x86_64
python-sss-1.14.0-30.el7.x86_64
libsss_autofs-1.14.0-30.el7.x86_64
libsss_nss_idmap-1.14.0-30.el7.x86_64
sssd-common-pac-1.14.0-30.el7.x86_64
sssd-ldap-1.14.0-30.el7.x86_64
sssd-proxy-1.14.0-30.el7.x86_64
sssd-debuginfo-1.14.0-30.el7.x86_64
libsss_idmap-1.14.0-30.el7.x86_64
sssd-ad-1.14.0-30.el7.x86_64
sssd-1.14.0-30.el7.x86_64
sssd-testlib-0.1-1.el7.noarch
sssd-common-1.14.0-30.el7.x86_64
libsss_simpleifp-1.14.0-30.el7.x86_64



Steps to Reproduce:
1. Configure an ldap server with users and groups , Example idm1 to idm8 and
create groups idm_group1 to idm_group2 (having posix attributes)
2. Make idm1 user a member of idm_group1 member
3. Configure a RHEL7.3 client to authenticate to LDAP server
[root@client1 db]# cat /etc/sssd/sssd.conf
[domain/LDAP]
cache_credentials = TRUE
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
chpass_provider = ldap
ldap_uri = ldaps://client2.example.test
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 0x0080

[sssd]
services = nss,pam
sbus_timeout = 30
config_file_version = 2
domains = LDAP
debug_level = 9

[nss]
filter_users =
root,dbus,rpcuser,rpc,haldaemon,nobody,postfix,smmsp,nscd,ntp,apache
debug_level = 7



4. Restart cache.

5. Query idm1 user and save it in cache
# getent passwd -s sss idm1
idm1:*:17583100:10001:IDM1 User:/home/idm1:/bin/bash
[root@client1 db]# getent passwd -s sss idm2
idm2:*:17583101:10002:IDM2 User:/home/idm2:/bin/bash
[root@client1 db]# getent group -s sss idm_group1
idm_group1:*:10001:idm1

6.  Enumerate Groups in domain cache using ldbtools

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b
cn=groups,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
gidNumber: 10001
name: idm_group1@ldap
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
nameAlias: idm_group1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberuid: idm1@ldap
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

7.Enumerate users in domain cache using ldbtools

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b
cn=users,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
fullName: IDM1 User
gecos: IDM1 User
gidNumber: 10001
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1@ldap
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm1@example2.com
nameAlias: idm1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
initgrExpireTimestamp: 1472564788
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559398
fullName: IDM2 User
gecos: IDM2 User
gidNumber: 10002
homeDirectory: /home/idm2
loginShell: /bin/bash
name: idm2@ldap
objectClass: user
uidNumber: 17583101
originalDN: uid=idm2,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm2@example2.com
nameAlias: idm2@ldap
lastUpdate: 1472559398
dataExpireTimestamp: 1472564798
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb


8. Invalidate all users and group idm_group1

[root@client1 db]# sss_cache -U -g idm_group1

9. Check the Domain cache.

ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
fullName: IDM1 User
gecos: IDM1 User
gidNumber: 10001
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1@ldap
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm1@example2.com
nameAlias: idm1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
initgrExpireTimestamp: 1472564788
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559398
fullName: IDM2 User
gecos: IDM2 User
gidNumber: 10002
homeDirectory: /home/idm2
loginShell: /bin/bash
name: idm2@ldap
objectClass: user
uidNumber: 17583101
originalDN: uid=idm2,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm2@example2.com
nameAlias: idm2@ldap
lastUpdate: 1472559398
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb

10. Check the timestamps cache

[root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b
cn=users,cn=LDAP,cn=sysdb
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
lastUpdate: 1472559388
objectClass: user
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
lastUpdate: 1472559398
objectClass: user
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb



11. Enumerate Domain cache  for groups

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b
cn=groups,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
gidNumber: 10001
name: idm_group1@ldap
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
nameAlias: idm_group1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberuid: idm1@ldap
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

# record 2
dn: cn=groups,cn=LDAP,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP,cn=sysdb

12. Enumerate timestamps_LDAP.ldb cache to verify if Group information is in
validated.


[root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b
cn=groups,cn=LDAP,cn=sysdb
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
lastUpdate: 1472559388
objectClass: group
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

# record 2
dn: cn=groups,cn=LDAP,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP,cn=sysdb



Actual results:

The dataExpireTimestamp in timestamps_LDAP.ldb shows 1 when invalidated but
dataExpireTimestamp in cache_LDAP.ldb shows dataExpireTimestamp: 1472564788


Expected results:


dataExpireTimestamp should be same in both the caches.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
milestone: NEEDS_TRIAGE => SSSD 1.15 Beta
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

owner: somebody => pcech

Fields changed

status: new => assigned

Fields changed

patch: 0 => 1

Metadata Update from @jhrozek:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.15.3

3 years ago

master:

Metadata Update from @jhrozek:
- Custom field design_review reset
- Custom field mark reset
- Custom field patch adjusted to on (was: 1)
- Custom field review reset
- Custom field sensitive reset
- Custom field testsupdated reset
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.2 (was: SSSD 1.15.3)
- Issue status updated to: Closed (was: Open)

3 years ago

sssd-1-14:

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4197

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata