#884 RFE: Support change in uid and gid number for the same user.
Opened 7 years ago by gowrishankar. Modified 2 years ago

Method:

  1. Install IPA Server.
  2. Create user "shanks", auth successful as expected.
  3. Un-install IPA Server.
  4. Re-install IPA Server.
  5. Again, create user "shanks", auth fails.

As of now the uidNumber and gidNumber (1866400003) get updated in the cache, however, the ccacheFile {{{FILE:/tmp/krb5cc_1179400133_DmGZ0S}}} remains old because of which we see the following in the domain logs.

(Tue Jun  7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003].
(Tue Jun  7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed.
(Tue Jun  7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed.
(Tue Jun  7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>)



[root@bumblebee ~]# getent -s sss passwd shanks
shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh



[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module
WARNING: Module [memberof] not found
asq: Unable to register control with rootdse!
# record 1
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
createTimestamp: 1307390729
fullName: shanks
gecos: shanks
homeDirectory: /home/shanks
loginShell: /bin/sh
name: shanks
objectClass: user
originalDN: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=
 com
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=re
 dhat,dc=com
userPrincipalName: shanks@LAB.ENG.PNQ.REDHAT.COM
memberof: name=ipausers,cn=groups,cn=lab.eng.pnq.redhat.com,cn=sysdb
failedLoginAttempts: 0
ccacheFile: FILE:/tmp/krb5cc_1179400133_DmGZ0S          <--------------
cachedPassword: $6$tOG.KevFfuGT0uln$7Ah0xflGMTceuYgrZ./MeOdA3k6B732pD1WEemVLp0
 bHTIq9hhESaA31nUeh8kBFKnI0.cNKrdT3LKgD9T87h1
lastCachedPasswordChange: 1307390791
lastOnlineAuth: 1307390791
lastLogin: 1307390791
uidNumber: 1866400003          <--------------
gidNumber: 1866400003          <--------------
originalModifyTimestamp: 20110607072131Z
entryUSN: 380
krbLastPwdChange: 20110607072132Z
krbPasswordExpiration: 20110607072132Z
initgrExpireTimestamp: 1307433774
lastUpdate: 1307431974
dataExpireTimestamp: 1307433774
distinguishedName: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

Expected:

  • We should keep track of the guid/uuid of the object on the server, which should never change during the lifetime of the object and if the guid/uuid changes we should invalidate all cached attributes of the user (including the cached password hash and assume that it is a new user with just the same name.

OR

  • We should atleast return an error or a warning if the uuid/guid changes.

Fields changed

description: Method:

  1. Install IPA Server.
  2. Create user "shanks", auth successful as expected.
  3. Un-install IPA Server.
  4. Re-install IPA Server.
  5. Again, create user "shanks", auth fails.

As of now the uidNumber and gidNumber (1866400003) get updated in the cache, however, the ccacheFile (FILE:/tmp/krb5cc_1179400133_DmGZ0S) remains old because of which we see the following in the domain logs.

(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003].
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <null>)

[root@bumblebee ~]# getent -s sss passwd shanks
shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh

[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module
WARNING: Module [memberof] not found
asq: Unable to register control with rootdse!

record 1

dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
createTimestamp: 1307390729
fullName: shanks
gecos: shanks
homeDirectory: /home/shanks
loginShell: /bin/sh
name: shanks
objectClass: user
originalDN: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=
com
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=re
dhat,dc=com
userPrincipalName: shanks@LAB.ENG.PNQ.REDHAT.COM
memberof: name=ipausers,cn=groups,cn=lab.eng.pnq.redhat.com,cn=sysdb
failedLoginAttempts: 0
ccacheFile: FILE:/tmp/krb5cc_1179400133_DmGZ0S <--------------
cachedPassword: $6$tOG.KevFfuGT0uln$7Ah0xflGMTceuYgrZ./MeOdA3k6B732pD1WEemVLp0
bHTIq9hhESaA31nUeh8kBFKnI0.cNKrdT3LKgD9T87h1
lastCachedPasswordChange: 1307390791
lastOnlineAuth: 1307390791
lastLogin: 1307390791
uidNumber: 1866400003 <--------------
gidNumber: 1866400003 <--------------
originalModifyTimestamp: 20110607072131Z
entryUSN: 380
krbLastPwdChange: 20110607072132Z
krbPasswordExpiration: 20110607072132Z
initgrExpireTimestamp: 1307433774
lastUpdate: 1307431974
dataExpireTimestamp: 1307433774
distinguishedName: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb

returned 1 records

1 entries

0 referrals

Expected:
- We should keep track of the guid/uuid of the object on the server, which should never change during the lifetime of the object and if the guid/uuid changes we should invalidate all cached attributes of the user (including the cached password hash and assume that it is a new user with just the same name.

OR

  • We should atleast return an error or a warning if the uuid/guid changes. => Method:
  1. Install IPA Server.
  2. Create user "shanks", auth successful as expected.
  3. Un-install IPA Server.
  4. Re-install IPA Server.
  5. Again, create user "shanks", auth fails.

As of now the uidNumber and gidNumber (1866400003) get updated in the cache, however, the ccacheFile {{{FILE:/tmp/krb5cc_1179400133_DmGZ0S}}} remains old because of which we see the following in the domain logs.

{{{
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003].
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <null>)
}}}

{{{
[root@bumblebee ~]# getent -s sss passwd shanks
shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh
}}}

{{{
[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module
WARNING: Module [memberof] not found
asq: Unable to register control with rootdse!

record 1

dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
createTimestamp: 1307390729
fullName: shanks
gecos: shanks
homeDirectory: /home/shanks
loginShell: /bin/sh
name: shanks
objectClass: user
originalDN: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=
com
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=re
dhat,dc=com
userPrincipalName: shanks@LAB.ENG.PNQ.REDHAT.COM
memberof: name=ipausers,cn=groups,cn=lab.eng.pnq.redhat.com,cn=sysdb
failedLoginAttempts: 0
ccacheFile: FILE:/tmp/krb5cc_1179400133_DmGZ0S <--------------
cachedPassword: $6$tOG.KevFfuGT0uln$7Ah0xflGMTceuYgrZ./MeOdA3k6B732pD1WEemVLp0
bHTIq9hhESaA31nUeh8kBFKnI0.cNKrdT3LKgD9T87h1
lastCachedPasswordChange: 1307390791
lastOnlineAuth: 1307390791
lastLogin: 1307390791
uidNumber: 1866400003 <--------------
gidNumber: 1866400003 <--------------
originalModifyTimestamp: 20110607072131Z
entryUSN: 380
krbLastPwdChange: 20110607072132Z
krbPasswordExpiration: 20110607072132Z
initgrExpireTimestamp: 1307433774
lastUpdate: 1307431974
dataExpireTimestamp: 1307433774
distinguishedName: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb

returned 1 records

1 entries

0 referrals

}}}

Expected:
- We should keep track of the guid/uuid of the object on the server, which should never change during the lifetime of the object and if the guid/uuid changes we should invalidate all cached attributes of the user (including the cached password hash and assume that it is a new user with just the same name.

OR

  • We should atleast return an error or a warning if the uuid/guid changes.

Fields changed

summary: RFE: Support change in uuid and guid number for the same user. => RFE: Support change in uid and gid number for the same user.

I think I agree with Shanks. If the UID of a user changes, we should remove the {{{ccacheFile}}} and cachedPassword entries for the user in the sysdb cache.

However, I'm also lowering the priority to minor because this should never occur in a sane deployment (and demanding that the cache be removed in the situation described above is a completely reasonable workaround).

component: SSSD => Kerberos Provider
priority: major => minor

Fields changed

milestone: NEEDS_TRIAGE => SSSD Deferred

Replying to [comment:4 sbose]:

Related ticket https://bugzilla.redhat.com/show_bug.cgi?id=711416

This BZ is actually related to ticket #888. The support for uid and gid change is now being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=724911

Fields changed

rhbz: => 0

Metadata Update from @gowrishankar:
- Issue set to the milestone: SSSD Patches welcome

2 years ago

Login to comment on this ticket.

Metadata