#3283 getsidbyid can fail in some cases due to cache_req refactoring
Closed: Fixed None Opened 2 years ago by lslebodn.

The ideal is test with user who is a member of "Domain users" group

sh# id smbuser01-123456@SSSDAD2012
uid=1663280146(smbuser01-123456@sssdad2012.com) gid=1663200513(domain users@sssdad2012.com) groups=1663200513(domain users@sssdad2012.com),1663280147(smbgroup01-123456@sssdad2012.com),1663280145(smballgroup-123456@sssdad2012.com)

sh# getent group 'domain users@sssdad2012.com'
domain users@sssdad2012.com:*:1663200513:smbuser01-123456@sssdad2012.com

sh# python
Python 2.7.5 (default, Jan 18 2017, 10:25:43)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyid(1663200513)
{}
>>>

As you can see in description of ticket data were already cached and should be returned from cache.
Here is important part of nss log file with the wrong filter

(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #70: Setting "Object by ID" plugin
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #70: New request 'Object by ID'
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #70: Performing a multi-domain search
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #70: Using domain [sssdad2012.com]
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #70: Looking up ID:1663200513@sssdad2012.com
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #70: Checking negative cache for [ID:1663200513@sssdad2012.com]
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/sssdad2012.com/1663200513]
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #70: [ID:1663200513@sssdad2012.com] is not present in negative cache
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #70: Looking up [ID:1663200513@sssdad2012.com] in cache
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7fd39dc7d790

(Sat Jan 21 12:34:25 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7fd39dc8af40

(Sat Jan 21 12:34:25 2017) [sssd[nss]] [ldb] (0x4000): Running timer event 0x7fd39dc7d790 "ltdb_callback"

(Sat Jan 21 12:34:25 2017) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x7fd39dc8af40 "ltdb_timeout"

(Sat Jan 21 12:34:25 2017) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x7fd39dc7d790 "ltdb_callback"

(Sat Jan 21 12:34:25 2017) [sssd[nss]] [sysdb_search_object_attr] (0x0020): Search with filter [(&(|(objectclass=user)(objectclass=group))(|(uidNumber=1663200513)(gidNumber=1663200513)))] returned more than one object.
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [sysdb_search_object_attr] (0x0040): Error: 22 (Invalid argument)
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_search_cache] (0x0020): CR #70: Unable to lookup [ID:1663200513@sssdad2012.com] in cache [22]: Invalid argument
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [cache_req_done] (0x0400): CR #70: Finished: Error 22: Invalid argument
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [22]: Invalid argument
(Sat Jan 21 12:34:25 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

With current filter, we will get group and all members of the group.

ldbsearch -H /var/lib/sss/db/cache_sssdad2012.com.ldb '(&(|(objectclass=user)(objectclass=group))(|(uidNumber=1663200513)(gidNumber=1663200513)))' dn
asq: Unable to register control with rootdse!
# record 1
dn: name=smbuser01-123456@sssdad2012.com,cn=users,cn=sssdad2012.com,cn=sysdb

# record 2
dn: name=smbuser02-123456@sssdad2012.com,cn=users,cn=sssdad2012.com,cn=sysdb

# record 3
dn: name=smbuser03-123456@sssdad2012.com,cn=users,cn=sssdad2012.com,cn=sysdb

# record 4
dn: name=Domain Users@sssdad2012.com,cn=groups,cn=sssdad2012.com,cn=sysdb

Following filter is much better. But I do not remember whether we can get just one or two results because getsidbyid can return ID_USER, ID_GROUP or ID_BOTH

[root@fclient-12345 sssd]# ldbsearch -H /var/lib/sss/db/cache_sssdad2012.com.ldb '(|(&(objectclass=user)(uidNumber=1663200513))(&(objectclass=group)(gidNumber=1663200513)))' dn
asq: Unable to register control with rootdse!
# record 1
dn: name=Domain Users@sssdad2012.com,cn=groups,cn=sssdad2012.com,cn=sysdb

https://github.com/SSSD/sssd/pull/129

owner: somebody => lslebodn
patch: 0 => 1
status: new => assigned

milestone: NEEDS_TRIAGE => SSSD 1.15 Alpha
resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.15.0

2 years ago

Login to comment on this ticket.

Metadata