Learn more about these different git repos.
Other Git URLs
Method:
As of now the uidNumber and gidNumber (1866400003) get updated in the cache, however, the ccacheFile {{{FILE:/tmp/krb5cc_1179400133_DmGZ0S}}} remains old because of which we see the following in the domain logs.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003]. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>) [root@bumblebee ~]# getent -s sss passwd shanks shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh [root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module WARNING: Module [memberof] not found asq: Unable to register control with rootdse! # record 1 dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb createTimestamp: 1307390729 fullName: shanks gecos: shanks homeDirectory: /home/shanks loginShell: /bin/sh name: shanks objectClass: user originalDN: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc= com originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=re dhat,dc=com userPrincipalName: shanks@LAB.ENG.PNQ.REDHAT.COM memberof: name=ipausers,cn=groups,cn=lab.eng.pnq.redhat.com,cn=sysdb failedLoginAttempts: 0 ccacheFile: FILE:/tmp/krb5cc_1179400133_DmGZ0S <-------------- cachedPassword: $6$tOG.KevFfuGT0uln$7Ah0xflGMTceuYgrZ./MeOdA3k6B732pD1WEemVLp0 bHTIq9hhESaA31nUeh8kBFKnI0.cNKrdT3LKgD9T87h1 lastCachedPasswordChange: 1307390791 lastOnlineAuth: 1307390791 lastLogin: 1307390791 uidNumber: 1866400003 <-------------- gidNumber: 1866400003 <-------------- originalModifyTimestamp: 20110607072131Z entryUSN: 380 krbLastPwdChange: 20110607072132Z krbPasswordExpiration: 20110607072132Z initgrExpireTimestamp: 1307433774 lastUpdate: 1307431974 dataExpireTimestamp: 1307433774 distinguishedName: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb # returned 1 records # 1 entries # 0 referrals
Expected:
OR
Fields changed
description: Method:
As of now the uidNumber and gidNumber (1866400003) get updated in the cache, however, the ccacheFile (FILE:/tmp/krb5cc_1179400133_DmGZ0S) remains old because of which we see the following in the domain logs.
(Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003]. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>)
[root@bumblebee ~]# getent -s sss passwd shanks shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh
[root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module WARNING: Module [memberof] not found asq: Unable to register control with rootdse!
dn: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb createTimestamp: 1307390729 fullName: shanks gecos: shanks homeDirectory: /home/shanks loginShell: /bin/sh name: shanks objectClass: user originalDN: uid=shanks,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc= com originalMemberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=re dhat,dc=com userPrincipalName: shanks@LAB.ENG.PNQ.REDHAT.COM memberof: name=ipausers,cn=groups,cn=lab.eng.pnq.redhat.com,cn=sysdb failedLoginAttempts: 0 ccacheFile: FILE:/tmp/krb5cc_1179400133_DmGZ0S <-------------- cachedPassword: $6$tOG.KevFfuGT0uln$7Ah0xflGMTceuYgrZ./MeOdA3k6B732pD1WEemVLp0 bHTIq9hhESaA31nUeh8kBFKnI0.cNKrdT3LKgD9T87h1 lastCachedPasswordChange: 1307390791 lastOnlineAuth: 1307390791 lastLogin: 1307390791 uidNumber: 1866400003 <-------------- gidNumber: 1866400003 <-------------- originalModifyTimestamp: 20110607072131Z entryUSN: 380 krbLastPwdChange: 20110607072132Z krbPasswordExpiration: 20110607072132Z initgrExpireTimestamp: 1307433774 lastUpdate: 1307431974 dataExpireTimestamp: 1307433774 distinguishedName: name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb
Expected: - We should keep track of the guid/uuid of the object on the server, which should never change during the lifetime of the object and if the guid/uuid changes we should invalidate all cached attributes of the user (including the cached password hash and assume that it is a new user with just the same name.
{{{ (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [check_if_ccache_file_is_used] (1): Cache file [/tmp/krb5cc_1179400133_DmGZ0S] exists, but is owned by [1179400133] instead of [1866400003]. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [krb5_auth_send] (1): check_if_ccache_file_is_used failed. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_auth_handler_done] (1): krb5_auth_recv request failed. (Tue Jun 7 03:32:54 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 4, <NULL>) }}}
{{{ [root@bumblebee ~]# getent -s sss passwd shanks shanks:*:1866400003:1866400003:shanks:/home/shanks:/bin/sh }}}
{{{ [root@bumblebee ~]# ldb3search -H /var/lib/sss/db/cache_lab.eng.pnq.redhat.com.ldb -b name=shanks,cn=users,cn=lab.eng.pnq.redhat.com,cn=sysdb no symbol `init_samba_module' found in /usr/lib64/ldb/memberof.so: /usr/lib64/ldb/memberof.so: undefined symbol: init_samba_module WARNING: Module [memberof] not found asq: Unable to register control with rootdse!
}}}
summary: RFE: Support change in uuid and guid number for the same user. => RFE: Support change in uid and gid number for the same user.
I think I agree with Shanks. If the UID of a user changes, we should remove the {{{ccacheFile}}} and cachedPassword entries for the user in the sysdb cache.
However, I'm also lowering the priority to minor because this should never occur in a sane deployment (and demanding that the cache be removed in the situation described above is a completely reasonable workaround).
component: SSSD => Kerberos Provider priority: major => minor
Related ticket https://bugzilla.redhat.com/show_bug.cgi?id=711416
milestone: NEEDS_TRIAGE => SSSD Deferred
Replying to [comment:4 sbose]:
This BZ is actually related to ticket #888. The support for uid and gid change is now being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=724911
rhbz: => 0
Metadata Update from @gowrishankar: - Issue set to the milestone: SSSD Patches welcome
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Metadata Update from @pbrezina: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1926
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.