#884 RFE: Support change in uid and gid number for the same user.
Closed: wontfix 4 years ago by pbrezina. Opened 12 years ago by gowrishankar.

Method:

  1. Install IPA Server.
  2. Create user "shanks", auth successful as expected.
  3. Un-install IPA Server.
  4. Re-install IPA Server.
  5. Again, create user "shanks", auth fails.

As of now the uidNumber and gidNumber (1866400003) get updated in the cache, however, the ccacheFile {{{FILE:/tmp/krb5cc_1179400133_DmGZ0S}}} remains old because of which we see the following in the domain logs.

(Tue Jun  7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003].
(Tue Jun  7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed.
(Tue Jun  7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed.
(Tue Jun  7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>)



[root@bumblebee ~]# getent -s sss passwd shanks
shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh



[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module
WARNING: Module [memberof] not found
asq: Unable to register control with rootdse!
# record 1
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
createTimestamp: 1307390729
fullName: shanks
gecos: shanks
homeDirectory: /home/shanks
loginShell: /bin/sh
name: shanks
objectClass: user
originalDN: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=
 com
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=re
 dhat,dc=com
userPrincipalName: shanks@LAB.ENG.PNQ.REDHAT.COM
memberof: name=ipausers,cn=groups,cn=lab.eng.pnq.redhat.com,cn=sysdb
failedLoginAttempts: 0
ccacheFile: FILE:/tmp/krb5cc_1179400133_DmGZ0S          <--------------
cachedPassword: $6$tOG.KevFfuGT0uln$7Ah0xflGMTceuYgrZ./MeOdA3k6B732pD1WEemVLp0
 bHTIq9hhESaA31nUeh8kBFKnI0.cNKrdT3LKgD9T87h1
lastCachedPasswordChange: 1307390791
lastOnlineAuth: 1307390791
lastLogin: 1307390791
uidNumber: 1866400003          <--------------
gidNumber: 1866400003          <--------------
originalModifyTimestamp: 20110607072131Z
entryUSN: 380
krbLastPwdChange: 20110607072132Z
krbPasswordExpiration: 20110607072132Z
initgrExpireTimestamp: 1307433774
lastUpdate: 1307431974
dataExpireTimestamp: 1307433774
distinguishedName: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

Expected:

  • We should keep track of the guid/uuid of the object on the server, which should never change during the lifetime of the object and if the guid/uuid changes we should invalidate all cached attributes of the user (including the cached password hash and assume that it is a new user with just the same name.

OR

  • We should atleast return an error or a warning if the uuid/guid changes.

Fields changed

description: Method:

  1. Install IPA Server.
  2. Create user "shanks", auth successful as expected.
  3. Un-install IPA Server.
  4. Re-install IPA Server.
  5. Again, create user "shanks", auth fails.

As of now the uidNumber and gidNumber (1866400003) get updated in the cache, however, the ccacheFile (FILE:/tmp/krb5cc_1179400133_DmGZ0S) remains old because of which we see the following in the domain logs.

(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003].
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>)

[root@bumblebee ~]# getent -s sss passwd shanks
shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh

[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module
WARNING: Module [memberof] not found
asq: Unable to register control with rootdse!

record 1

dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
createTimestamp: 1307390729
fullName: shanks
gecos: shanks
homeDirectory: /home/shanks
loginShell: /bin/sh
name: shanks
objectClass: user
originalDN: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=
com
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=re
dhat,dc=com
userPrincipalName: shanks@LAB.ENG.PNQ.REDHAT.COM
memberof: name=ipausers,cn=groups,cn=lab.eng.pnq.redhat.com,cn=sysdb
failedLoginAttempts: 0
ccacheFile: FILE:/tmp/krb5cc_1179400133_DmGZ0S <--------------
cachedPassword: $6$tOG.KevFfuGT0uln$7Ah0xflGMTceuYgrZ./MeOdA3k6B732pD1WEemVLp0
bHTIq9hhESaA31nUeh8kBFKnI0.cNKrdT3LKgD9T87h1
lastCachedPasswordChange: 1307390791
lastOnlineAuth: 1307390791
lastLogin: 1307390791
uidNumber: 1866400003 <--------------
gidNumber: 1866400003 <--------------
originalModifyTimestamp: 20110607072131Z
entryUSN: 380
krbLastPwdChange: 20110607072132Z
krbPasswordExpiration: 20110607072132Z
initgrExpireTimestamp: 1307433774
lastUpdate: 1307431974
dataExpireTimestamp: 1307433774
distinguishedName: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb

returned 1 records

1 entries

0 referrals

Expected:
- We should keep track of the guid/uuid of the object on the server, which should never change during the lifetime of the object and if the guid/uuid changes we should invalidate all cached attributes of the user (including the cached password hash and assume that it is a new user with just the same name.

OR

  • We should atleast return an error or a warning if the uuid/guid changes. => Method:
  1. Install IPA Server.
  2. Create user "shanks", auth successful as expected.
  3. Un-install IPA Server.
  4. Re-install IPA Server.
  5. Again, create user "shanks", auth fails.

As of now the uidNumber and gidNumber (1866400003) get updated in the cache, however, the ccacheFile {{{FILE:/tmp/krb5cc_1179400133_DmGZ0S}}} remains old because of which we see the following in the domain logs.

{{{
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003].
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>)
}}}

{{{
[root@bumblebee ~]# getent -s sss passwd shanks
shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh
}}}

{{{
[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module
WARNING: Module [memberof] not found
asq: Unable to register control with rootdse!

record 1

dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
createTimestamp: 1307390729
fullName: shanks
gecos: shanks
homeDirectory: /home/shanks
loginShell: /bin/sh
name: shanks
objectClass: user
originalDN: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=
com
originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=re
dhat,dc=com
userPrincipalName: shanks@LAB.ENG.PNQ.REDHAT.COM
memberof: name=ipausers,cn=groups,cn=lab.eng.pnq.redhat.com,cn=sysdb
failedLoginAttempts: 0
ccacheFile: FILE:/tmp/krb5cc_1179400133_DmGZ0S <--------------
cachedPassword: $6$tOG.KevFfuGT0uln$7Ah0xflGMTceuYgrZ./MeOdA3k6B732pD1WEemVLp0
bHTIq9hhESaA31nUeh8kBFKnI0.cNKrdT3LKgD9T87h1
lastCachedPasswordChange: 1307390791
lastOnlineAuth: 1307390791
lastLogin: 1307390791
uidNumber: 1866400003 <--------------
gidNumber: 1866400003 <--------------
originalModifyTimestamp: 20110607072131Z
entryUSN: 380
krbLastPwdChange: 20110607072132Z
krbPasswordExpiration: 20110607072132Z
initgrExpireTimestamp: 1307433774
lastUpdate: 1307431974
dataExpireTimestamp: 1307433774
distinguishedName: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb

returned 1 records

1 entries

0 referrals

}}}

Expected:
- We should keep track of the guid/uuid of the object on the server, which should never change during the lifetime of the object and if the guid/uuid changes we should invalidate all cached attributes of the user (including the cached password hash and assume that it is a new user with just the same name.

OR

  • We should atleast return an error or a warning if the uuid/guid changes.

Fields changed

summary: RFE: Support change in uuid and guid number for the same user. => RFE: Support change in uid and gid number for the same user.

I think I agree with Shanks. If the UID of a user changes, we should remove the {{{ccacheFile}}} and cachedPassword entries for the user in the sysdb cache.

However, I'm also lowering the priority to minor because this should never occur in a sane deployment (and demanding that the cache be removed in the situation described above is a completely reasonable workaround).

component: SSSD => Kerberos Provider
priority: major => minor

Fields changed

milestone: NEEDS_TRIAGE => SSSD Deferred

Replying to [comment:4 sbose]:

Related ticket https://bugzilla.redhat.com/show_bug.cgi?id=711416

This BZ is actually related to ticket #888. The support for uid and gid change is now being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=724911

Fields changed

rhbz: => 0

Metadata Update from @gowrishankar:
- Issue set to the milestone: SSSD Patches welcome

7 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1926

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata