Bug 1295883

Summary:	refresh_expired_interval stops sss_cache from working
Product:	Red Hat Enterprise Linux 6	Reporter:	ryaner
Component:	sssd	Assignee:	Michal Zidek <mzidek>
Status:	CLOSED ERRATA	QA Contact:	Steeve Goveas <sgoveas>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.7	CC:	apeetham, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl, sgoveas
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	sssd-1.13.3-12.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-05-10 20:26:04 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description ryaner 2016-01-05 17:14:22 UTC

Description of problem:
Enabling 'refresh_expired_interval' in the domain/LDAP section stops calls to sss_cache from expiring data.

Version-Release number of selected component (if applicable):
sssd-1.12.4-47.el6_7.4.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. Setup sssd.conf against an ldap server. 
2. Add 'refresh_expired_interval = 1234' to the [domain/LDAP] section
3. Query a netgroup 
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)
4. Modify the group external to remove user3
5. Call sss_cache to expire the group
# sss_cache -n testgroup
6. Verify netgroup
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)

For this step I'm also watching the sssd_LDAP.log with debug=9. Following is the output during steps 4/5

(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x1477920
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [rotateLogs]
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [rotateLogs]
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x1477920
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]

Without 'refresh_expired_interval' set you can see if going off to the ldap server and re-caching results on the getent query and it returns the results correctly. 

The changelog for 1.12.5 does list some enhancements for 'refresh_expired_interval' so perhaps it is fixed there, but I don't have a Fedora system to test on.

Comment 2 Pavel Březina 2016-01-06 09:36:49 UTC

We disable cache refresh for netgroups in commit f933190722886ff23eab8148b473915908bc8c23 if background refresh is enabled. The patch should disable only a midpoint refresh, but it seems that even refresh of expired records are disabled this way.

Comment 3 Pavel Březina 2016-01-06 09:40:00 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2912

Comment 4 Jakub Hrozek 2016-01-20 18:40:27 UTC

Michal, Pavel, can either of you provide steps to reproduce this bug?

Comment 5 Michal Zidek 2016-01-21 14:27:24 UTC

Steps to reproduce:

1. Setup SSSD against LDAP or FreeIPA server with the following option in the domain section in sssd.conf:
refresh_expired_interval = 1234

3. Create a test netgroup with some users on the server

3. Query the created test netgroup
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)

4. Modify the test netgroup to remove one user

5. Call sss_cache to expire the group
# sss_cache -n testgroup

6. Query server for test netgroup again. Removed user should no longer be shown in the getent output.
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)

Comment 8 Lukas Slebodnik 2016-01-21 15:15:12 UTC

master:
* 1b8858b1611db5048592f477059ca5ad66d7ceb1

sssd-1-13:
* 66c6bf86da1241c3253d23aa7e68850d6ec14d15

Comment 10 Amith 2016-03-17 07:29:15 UTC

Verified the bug on SSSD Version: sssd-1.13.3-21.el6.x86_64

Steps followed during verification were taken from Comment #5.
1. Create a netgroup in ldap server.
2. Configure sssd with "refresh_expired_interval = 1234" and query the netgroup.
3. Then, delete a netgroup user, clean the cache and query again to verify the presence of deleted user.

With the latest build, the bug looks resolved. See the commands below:

# service sssd status
sssd (pid  25553) is running...

# getent netgroup test-net
test-net              ( ,user1,) ( ,user2,) ( ,user3,)

# ldapmodify -xv -h hubcap.lab.eng.pnq.redhat.com -D "cn=Directory Manager" -w Secret123 -f netgroup-member-del.ldif 
ldap_initialize( ldap://hubcap.lab.eng.pnq.redhat.com )
delete nisNetgroupTriple:
	(,user3,)
modifying entry "cn=test-net,ou=Netgroup,dc=example,dc=com "
modify complete

[root@qe-blade-03 sssd]# sss_cache -n test-net

[root@qe-blade-03 sssd]# getent netgroup test-net
test-net              ( ,user1,) ( ,user2,)

Comment 12 errata-xmlrpc 2016-05-10 20:26:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html