#3164 when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent
Closed: Fixed 2 years ago Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1371538

Description of problem:

When a group/users are invalidated from sss cache, the group/user information
in Domain (cache_LDAP.ldb) and  timestamps cache are inconsistent with regard
to dataExpireTimestamp attribute.

Version-Release number of selected component (if applicable):

sssd-client-1.14.0-30.el7.x86_64
sssd-dbus-1.14.0-30.el7.x86_64
python-sssdconfig-1.14.0-30.el7.noarch
sssd-ipa-1.14.0-30.el7.x86_64
sssd-tools-1.14.0-30.el7.x86_64
sssd-krb5-common-1.14.0-30.el7.x86_64
sssd-krb5-1.14.0-30.el7.x86_64
python-sss-1.14.0-30.el7.x86_64
libsss_autofs-1.14.0-30.el7.x86_64
libsss_nss_idmap-1.14.0-30.el7.x86_64
sssd-common-pac-1.14.0-30.el7.x86_64
sssd-ldap-1.14.0-30.el7.x86_64
sssd-proxy-1.14.0-30.el7.x86_64
sssd-debuginfo-1.14.0-30.el7.x86_64
libsss_idmap-1.14.0-30.el7.x86_64
sssd-ad-1.14.0-30.el7.x86_64
sssd-1.14.0-30.el7.x86_64
sssd-testlib-0.1-1.el7.noarch
sssd-common-1.14.0-30.el7.x86_64
libsss_simpleifp-1.14.0-30.el7.x86_64



Steps to Reproduce:
1. Configure an ldap server with users and groups , Example idm1 to idm8 and
create groups idm_group1 to idm_group2 (having posix attributes)
2. Make idm1 user a member of idm_group1 member
3. Configure a RHEL7.3 client to authenticate to LDAP server
[root@client1 db]# cat /etc/sssd/sssd.conf
[domain/LDAP]
cache_credentials = TRUE
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
chpass_provider = ldap
ldap_uri = ldaps://client2.example.test
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 0x0080

[sssd]
services = nss,pam
sbus_timeout = 30
config_file_version = 2
domains = LDAP
debug_level = 9

[nss]
filter_users =
root,dbus,rpcuser,rpc,haldaemon,nobody,postfix,smmsp,nscd,ntp,apache
debug_level = 7



4. Restart cache.

5. Query idm1 user and save it in cache
# getent passwd -s sss idm1
idm1:*:17583100:10001:IDM1 User:/home/idm1:/bin/bash
[root@client1 db]# getent passwd -s sss idm2
idm2:*:17583101:10002:IDM2 User:/home/idm2:/bin/bash
[root@client1 db]# getent group -s sss idm_group1
idm_group1:*:10001:idm1

6.  Enumerate Groups in domain cache using ldbtools

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b
cn=groups,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
gidNumber: 10001
name: idm_group1@ldap
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
nameAlias: idm_group1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberuid: idm1@ldap
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

7.Enumerate users in domain cache using ldbtools

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b
cn=users,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
fullName: IDM1 User
gecos: IDM1 User
gidNumber: 10001
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1@ldap
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm1@example2.com
nameAlias: idm1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
initgrExpireTimestamp: 1472564788
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559398
fullName: IDM2 User
gecos: IDM2 User
gidNumber: 10002
homeDirectory: /home/idm2
loginShell: /bin/bash
name: idm2@ldap
objectClass: user
uidNumber: 17583101
originalDN: uid=idm2,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm2@example2.com
nameAlias: idm2@ldap
lastUpdate: 1472559398
dataExpireTimestamp: 1472564798
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb


8. Invalidate all users and group idm_group1

[root@client1 db]# sss_cache -U -g idm_group1

9. Check the Domain cache.

ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
fullName: IDM1 User
gecos: IDM1 User
gidNumber: 10001
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1@ldap
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm1@example2.com
nameAlias: idm1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
initgrExpireTimestamp: 1472564788
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559398
fullName: IDM2 User
gecos: IDM2 User
gidNumber: 10002
homeDirectory: /home/idm2
loginShell: /bin/bash
name: idm2@ldap
objectClass: user
uidNumber: 17583101
originalDN: uid=idm2,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm2@example2.com
nameAlias: idm2@ldap
lastUpdate: 1472559398
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb

10. Check the timestamps cache

[root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b
cn=users,cn=LDAP,cn=sysdb
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
lastUpdate: 1472559388
objectClass: user
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
lastUpdate: 1472559398
objectClass: user
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb



11. Enumerate Domain cache  for groups

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b
cn=groups,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
gidNumber: 10001
name: idm_group1@ldap
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
nameAlias: idm_group1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberuid: idm1@ldap
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

# record 2
dn: cn=groups,cn=LDAP,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP,cn=sysdb

12. Enumerate timestamps_LDAP.ldb cache to verify if Group information is in
validated.


[root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b
cn=groups,cn=LDAP,cn=sysdb
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
lastUpdate: 1472559388
objectClass: group
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

# record 2
dn: cn=groups,cn=LDAP,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP,cn=sysdb



Actual results:

The dataExpireTimestamp in timestamps_LDAP.ldb shows 1 when invalidated but
dataExpireTimestamp in cache_LDAP.ldb shows dataExpireTimestamp: 1472564788


Expected results:


dataExpireTimestamp should be same in both the caches.

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
milestone: NEEDS_TRIAGE => SSSD 1.15 Beta
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

owner: somebody => pcech

Fields changed

status: new => assigned

Fields changed

patch: 0 => 1

Metadata Update from @jhrozek:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.15.3

2 years ago

master:

Metadata Update from @jhrozek:
- Custom field design_review reset
- Custom field mark reset
- Custom field patch adjusted to on (was: 1)
- Custom field review reset
- Custom field sensitive reset
- Custom field testsupdated reset
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.2 (was: SSSD 1.15.3)
- Issue status updated to: Closed (was: Open)

2 years ago

sssd-1-14:

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

2 years ago

Login to comment on this ticket.

Metadata