Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1371538
Description of problem: When a group/users are invalidated from sss cache, the group/user information in Domain (cache_LDAP.ldb) and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. Version-Release number of selected component (if applicable): sssd-client-1.14.0-30.el7.x86_64 sssd-dbus-1.14.0-30.el7.x86_64 python-sssdconfig-1.14.0-30.el7.noarch sssd-ipa-1.14.0-30.el7.x86_64 sssd-tools-1.14.0-30.el7.x86_64 sssd-krb5-common-1.14.0-30.el7.x86_64 sssd-krb5-1.14.0-30.el7.x86_64 python-sss-1.14.0-30.el7.x86_64 libsss_autofs-1.14.0-30.el7.x86_64 libsss_nss_idmap-1.14.0-30.el7.x86_64 sssd-common-pac-1.14.0-30.el7.x86_64 sssd-ldap-1.14.0-30.el7.x86_64 sssd-proxy-1.14.0-30.el7.x86_64 sssd-debuginfo-1.14.0-30.el7.x86_64 libsss_idmap-1.14.0-30.el7.x86_64 sssd-ad-1.14.0-30.el7.x86_64 sssd-1.14.0-30.el7.x86_64 sssd-testlib-0.1-1.el7.noarch sssd-common-1.14.0-30.el7.x86_64 libsss_simpleifp-1.14.0-30.el7.x86_64 Steps to Reproduce: 1. Configure an ldap server with users and groups , Example idm1 to idm8 and create groups idm_group1 to idm_group2 (having posix attributes) 2. Make idm1 user a member of idm_group1 member 3. Configure a RHEL7.3 client to authenticate to LDAP server [root@client1 db]# cat /etc/sssd/sssd.conf [domain/LDAP] cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 chpass_provider = ldap ldap_uri = ldaps://client2.example.test ldap_tls_cacertdir = /etc/openldap/cacerts debug_level = 0x0080 [sssd] services = nss,pam sbus_timeout = 30 config_file_version = 2 domains = LDAP debug_level = 9 [nss] filter_users = root,dbus,rpcuser,rpc,haldaemon,nobody,postfix,smmsp,nscd,ntp,apache debug_level = 7 4. Restart cache. 5. Query idm1 user and save it in cache # getent passwd -s sss idm1 idm1:*:17583100:10001:IDM1 User:/home/idm1:/bin/bash [root@client1 db]# getent passwd -s sss idm2 idm2:*:17583101:10002:IDM2 User:/home/idm2:/bin/bash [root@client1 db]# getent group -s sss idm_group1 idm_group1:*:10001:idm1 6. Enumerate Groups in domain cache using ldbtools [root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb asq: Unable to register control with rootdse! # record 1 dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb createTimestamp: 1472559388 gidNumber: 10001 name: idm_group1@ldap objectClass: group isPosix: TRUE originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb nameAlias: idm_group1@ldap lastUpdate: 1472559388 dataExpireTimestamp: 1472564788 memberuid: idm1@ldap distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb 7.Enumerate users in domain cache using ldbtools [root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb asq: Unable to register control with rootdse! # record 1 dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb createTimestamp: 1472559388 fullName: IDM1 User gecos: IDM1 User gidNumber: 10001 homeDirectory: /home/idm1 loginShell: /bin/bash name: idm1@ldap objectClass: user uidNumber: 17583100 originalDN: uid=idm1,ou=People,dc=example,dc=test originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z mail: idm1@example2.com nameAlias: idm1@ldap lastUpdate: 1472559388 dataExpireTimestamp: 1472564788 memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb initgrExpireTimestamp: 1472564788 distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb # record 2 dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb createTimestamp: 1472559398 fullName: IDM2 User gecos: IDM2 User gidNumber: 10002 homeDirectory: /home/idm2 loginShell: /bin/bash name: idm2@ldap objectClass: user uidNumber: 17583101 originalDN: uid=idm2,ou=People,dc=example,dc=test originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z mail: idm2@example2.com nameAlias: idm2@ldap lastUpdate: 1472559398 dataExpireTimestamp: 1472564798 distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb # record 3 dn: cn=users,cn=LDAP,cn=sysdb cn: Users distinguishedName: cn=users,cn=LDAP,cn=sysdb 8. Invalidate all users and group idm_group1 [root@client1 db]# sss_cache -U -g idm_group1 9. Check the Domain cache. ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb asq: Unable to register control with rootdse! # record 1 dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb createTimestamp: 1472559388 fullName: IDM1 User gecos: IDM1 User gidNumber: 10001 homeDirectory: /home/idm1 loginShell: /bin/bash name: idm1@ldap objectClass: user uidNumber: 17583100 originalDN: uid=idm1,ou=People,dc=example,dc=test originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z mail: idm1@example2.com nameAlias: idm1@ldap lastUpdate: 1472559388 dataExpireTimestamp: 1472564788 memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb initgrExpireTimestamp: 1472564788 distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb # record 2 dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb createTimestamp: 1472559398 fullName: IDM2 User gecos: IDM2 User gidNumber: 10002 homeDirectory: /home/idm2 loginShell: /bin/bash name: idm2@ldap objectClass: user uidNumber: 17583101 originalDN: uid=idm2,ou=People,dc=example,dc=test originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z mail: idm2@example2.com nameAlias: idm2@ldap lastUpdate: 1472559398 dataExpireTimestamp: 1 initgrExpireTimestamp: 1 distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb # record 3 dn: cn=users,cn=LDAP,cn=sysdb cn: Users distinguishedName: cn=users,cn=LDAP,cn=sysdb 10. Check the timestamps cache [root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb # record 1 dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb lastUpdate: 1472559388 objectClass: user originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z dataExpireTimestamp: 1 initgrExpireTimestamp: 1 distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb # record 2 dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb lastUpdate: 1472559398 objectClass: user originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z dataExpireTimestamp: 1 initgrExpireTimestamp: 1 distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb # record 3 dn: cn=users,cn=LDAP,cn=sysdb cn: Users distinguishedName: cn=users,cn=LDAP,cn=sysdb 11. Enumerate Domain cache for groups [root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb asq: Unable to register control with rootdse! # record 1 dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb createTimestamp: 1472559388 gidNumber: 10001 name: idm_group1@ldap objectClass: group isPosix: TRUE originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb nameAlias: idm_group1@ldap lastUpdate: 1472559388 dataExpireTimestamp: 1472564788 memberuid: idm1@ldap distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb # record 2 dn: cn=groups,cn=LDAP,cn=sysdb cn: Groups distinguishedName: cn=groups,cn=LDAP,cn=sysdb 12. Enumerate timestamps_LDAP.ldb cache to verify if Group information is in validated. [root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb # record 1 dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb lastUpdate: 1472559388 objectClass: group originalModifyTimestamp: 20160830050239Z entryUSN: 20160830050239Z dataExpireTimestamp: 1 distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb # record 2 dn: cn=groups,cn=LDAP,cn=sysdb cn: Groups distinguishedName: cn=groups,cn=LDAP,cn=sysdb Actual results: The dataExpireTimestamp in timestamps_LDAP.ldb shows 1 when invalidated but dataExpireTimestamp in cache_LDAP.ldb shows dataExpireTimestamp: 1472564788 Expected results: dataExpireTimestamp should be same in both the caches. Additional info:
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 milestone: NEEDS_TRIAGE => SSSD 1.15 Beta review: True => 0 selected: => testsupdated: => 0
owner: somebody => pcech
status: new => assigned
patch: 0 => 1
Metadata Update from @jhrozek: - Issue assigned to pcech - Issue set to the milestone: SSSD 1.15.3
master:
Metadata Update from @jhrozek: - Custom field design_review reset - Custom field mark reset - Custom field patch adjusted to on (was: 1) - Custom field review reset - Custom field sensitive reset - Custom field testsupdated reset - Issue close_status updated to: Fixed - Issue set to the milestone: SSSD 1.15.2 (was: SSSD 1.15.3) - Issue status updated to: Closed (was: Open)
sssd-1-14:
Metadata Update from @lslebodn: - Custom field design_review reset (from false) - Custom field mark reset (from false) - Custom field review reset (from false) - Custom field sensitive reset (from false) - Custom field testsupdated reset (from false)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4197
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.