Bug 1361597
Summary: | Groups with just one member are not properly managed by sssd | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> |
Component: | sssd | Assignee: | Petr Čech <pcech> |
Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | CC: | grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, pcech, pjagrut, sssd-qe, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.15.0-2.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 08:58:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Thorsten Scherf
2016-07-29 13:17:51 UTC
Sorry for the missing description, hit enter to fast. Here we go with the details. When there is only a single member in a group and this member is being removed, sssd only removes it from the cache after "id <username>" has been executed. With one than one member in a group, the issue seems to go away. This has been tested with the following releases: sssd-1.13.90-0.20160506.1712.git04e4bdf.fc23.x86_64 sssd-1.13.3-22.el6.x86_64 ######################## enumerate = false entry_cache_timeout = 30 ######################## # sss_cache -u enumtest # sss_cache -g enumgr2 # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 14:42:09 CEST 2016 enumgr2.test:*:300403124: ### ### Adding a user ### # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 14:42:36 CEST 2016 enumgr2.test:*:300403124: # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 14:42:59 CEST 2016 enumgr2.test:*:300403124:enumtest.test ### ### Removing a user ### # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 14:43:21 CEST 2016 enumgr2.test:*:300403124:enumtest.test # ldbsearch -H /var/lib/sss/db/cache_win.trust.test.ldb gidNumber=300403124 dataExpireTimestamp: 1469796251 # date -d @1469796251 Fri Jul 29 14:44:11 CEST 2016 ### The user is still listed as a member of the group # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 14:44:28 CEST 2016 enumgr2.test:*:300403124:enumtest.test # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 14:46:28 CEST 2016 enumgr2.test:*:300403124:enumtest.test ### After running "id <user>", the group membership is updated # id enumtest.test uid=300403121(enumtest.test) gid=300400513(domain users.test) groups=300400513(domain users.test),300403120(supergroup.test) # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 14:46:49 CEST 2016 enumgr2.test:*:300403124: ### ### The issue can't be reproduced when more than one user is a member of the group ### # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 15:10:40 CEST 2016 enumgr2.test:*:300403124:enumtest2.test,enumtest.test ### With two members in the group, the group membership is updated within the cache expiration time # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 15:11:00 CEST 2016 enumgr2.test:*:300403124:enumtest2.test,enumtest.test # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 15:11:12 CEST 2016 enumgr2.test:*:300403124:enumtest2.test ### With just one group member left, the issue pops up again # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest2 # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 15:12:02 CEST 2016 enumgr2.test:*:300403124:enumtest2.test # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 15:12:36 CEST 2016 enumgr2.test:*:300403124:enumtest2.test # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest ### Adding a new group member makes sssd to update the group membership # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test Fri Jul 29 15:12:59 CEST 2016 enumgr2.test:*:300403124:enumtest.test This might be related to this upstream bug: https://fedorahosted.org/sssd/ticket/2940 Upstream ticket: https://fedorahosted.org/sssd/ticket/2940 verified with -r7-permanent ~]# rpm -q sssd sssd-1.15.2-33.el7.x86_64 [root@shr-r7-permanent ~]# adcli create-group gr2 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0' [root@shr-r7-permanent ~]# adcli create-user adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0' [root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2 Fri May 26 02:32:47 EDT 2017 gr2:*:616401130: [root@shr-r7-permanent ~]# adcli add-member gr2 adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0' [root@shr-r7-permanent ~]# sleep 30 [root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2 Fri May 26 02:33:44 EDT 2017 gr2:*:616401130:adu1 [root@shr-r7-permanent ~]# adcli remove-member gr2 adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0' [root@shr-r7-permanent ~]# sleep 30 [root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2 Fri May 26 02:35:33 EDT 2017 gr2:*:616401130: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |