#3744 Race condition between concurrent initgroups requests can cause one of them to return incomplete information
Closed: Fixed 5 years ago Opened 5 years ago by jhrozek.

An initgroups request for an AD user consists of two parts - resolving the AD user, which internally calls an LDAP request and adding the IPA external group memberships. For (probably?) historical reasons from the time before we had any notion of subdomains, the initgrTimestamp attribute is written down at the LDAP request level when it finishes -- which means the initgrTimestamp is written before the IPA external group membership is evaluated.

When two requests for initgroups arrive semi-concurrently, it can happen that the first request will trigger the whole machinery while the other one would evaluate the initgrTimestamp attribute that was just bumped, but the IPA group memberships were not yet written to the cache.

The result is that the second racing request only returns AD groups.


Metadata Update from @jhrozek:
- Issue tagged with: PR, bug

5 years ago

Metadata Update from @fidencio:
- Issue untagged with: PR
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

5 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1568370

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4752

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata