Bug 1371538
Summary: | when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Niranjan Mallapadi Raghavender <mniranja> |
Component: | sssd | Assignee: | Petr Čech <pcech> |
Status: | CLOSED ERRATA | QA Contact: | Niranjan Mallapadi Raghavender <mniranja> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7.3 | CC: | apeetham, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sgoveas |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.15.2-2.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 08:58:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Niranjan Mallapadi Raghavender
2016-08-30 12:32:09 UTC
Judging by a quick test, I can reproduce Upstream ticket: https://fedorahosted.org/sssd/ticket/3164 *** Bug 1373293 has been marked as a duplicate of this bug. *** Petr will take a look out-of-band, but not critical enough to warrant an ack for now. master: 57a924e71230ea360b19a88e0d5818cf01017161 Versions: sssd-common-pac-1.15.2-29.el7.x86_64 sssd-winbind-idmap-1.15.2-25.el7.x86_64 sssd-client-1.15.2-29.el7.x86_64 sssd-krb5-common-1.15.2-29.el7.x86_64 sssd-krb5-1.15.2-29.el7.x86_64 sssd-dbus-1.15.2-29.el7.x86_64 sssd-kcm-1.15.2-29.el7.x86_64 python-sssdconfig-1.15.2-29.el7.noarch sssd-common-1.15.2-29.el7.x86_64 sssd-ad-1.15.2-29.el7.x86_64 sssd-proxy-1.15.2-29.el7.x86_64 sssd-1.15.2-29.el7.x86_64 sssd-ipa-1.15.2-29.el7.x86_64 sssd-tools-1.15.2-29.el7.x86_64 sssd-libwbclient-1.15.2-25.el7.x86_64 sssd-ldap-1.15.2-29.el7.x86_64 sssd.conf: ====== [sssd] domains = EXAMPLE.TEST config_file_version = 2 services = nss, pam [domain/EXAMPLE.TEST] id_provider = ldap ldap_uri = ldaps://idm1.example.test ldap_search_base = dc=example,dc=test ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem auth_provider = ldap debug_level = 9 cache_credentials = True ldap_schema = rfc2307 chpass_provider = ldap [nss] filter_users = root,dbus,rpcuser,rpc,haldaemon,nobody,postfix,smmsp,nscd,ntp,apache debug_level = 7 1. Add a user idm1 and idm_group1 on LDAP. 2. Query the sss cache and verify both the user and group entries are cached. [root@idm1 ~]# getent passwd -s sss idm1 idm1:*:17583100:19564100:idm1 User:/home/idm1:/bin/bash [root@idm1 ~]# getent group -s sss idm_group1 idm_group1:*:19564100:idm1 3. Run ldbsearch tool and verify the cache entry [root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb" asq: Unable to register control with rootdse! # record 1 dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb createTimestamp: 1495781647 gidNumber: 19564100 name: idm_group1 objectClass: group isPosix: TRUE originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test originalModifyTimestamp: 20170526065335Z entryUSN: 20170526065335Z member: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb nameAlias: idm_group1 lastUpdate: 1495781647 dataExpireTimestamp: 1495787047 memberuid: idm1 distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb [root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb" asq: Unable to register control with rootdse! # record 1 dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb cn: Users distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb # record 2 dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb createTimestamp: 1495781641 fullName: idm1 User gecos: idm1 User gidNumber: 19564100 homeDirectory: /home/idm1 loginShell: /bin/bash name: idm1 objectClass: user uidNumber: 17583100 originalDN: uid=idm1,ou=People,dc=example,dc=test originalModifyTimestamp: 20170526065050Z entryUSN: 20170526065050Z shadowLastChange: 17312 mail: idm1 nameAlias: idm1 isPosix: TRUE lastUpdate: 1495781641 dataExpireTimestamp: 1495787041 memberof: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb 4. Invalidate the group idm_group1 [root@idm1 ~]# sss_cache -U -g idm_group1 5. Run ldbsearch against Domain cache and check if dataExpireTimestamp is 1. [root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb" asq: Unable to register control with rootdse! # record 1 dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb cn: Users distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb createTimestamp: 1495781641 fullName: idm1 User gecos: idm1 User gidNumber: 19564100 homeDirectory: /home/idm1 loginShell: /bin/bash name: idm1 objectClass: user uidNumber: 17583100 originalDN: uid=idm1,ou=People,dc=example,dc=test originalModifyTimestamp: 20170526065050Z entryUSN: 20170526065050Z shadowLastChange: 17312 mail: idm1 nameAlias: idm1 isPosix: TRUE lastUpdate: 1495781641 memberof: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb dataExpireTimestamp: 1 initgrExpireTimestamp: 1 distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb 6. Verify against timestamp cache and check if the dataExpireTimestamp is 1 for users entry [root@idm1 ~]# ldbsearch -H /var/lib/sss/db/timestamps_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb" # record 1 dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb cn: Users distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb # record 2 dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb lastUpdate: 1495781641 objectClass: user originalModifyTimestamp: 20170526065050Z entryUSN: 20170526065050Z dataExpireTimestamp: 1 initgrExpireTimestamp: 1 distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb 7. Check the same for Group entry in Domain Cache and timestamp cache. [root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb" asq: Unable to register control with rootdse! # record 1 dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb createTimestamp: 1495781647 gidNumber: 19564100 name: idm_group1 objectClass: group isPosix: TRUE originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test originalModifyTimestamp: 20170526065335Z entryUSN: 20170526065335Z member: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb nameAlias: idm_group1 lastUpdate: 1495781647 memberuid: idm1 dataExpireTimestamp: 1 distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb [root@idm1 ~]# ldbsearch -H /var/lib/sss/db/timestamps_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb" # record 1 dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb lastUpdate: 1495781647 objectClass: group originalModifyTimestamp: 20170526065335Z entryUSN: 20170526065335Z dataExpireTimestamp: 1 distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb From the above output dataExpireTimestamp entry in both Domain and timestamp cache is consistent. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |