Bug 1371538

Summary:	when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent
Product:	Red Hat Enterprise Linux 7	Reporter:	Niranjan Mallapadi Raghavender <mniranja>
Component:	sssd	Assignee:	Petr Čech <pcech>
Status:	CLOSED ERRATA	QA Contact:	Niranjan Mallapadi Raghavender <mniranja>
Severity:	low	Docs Contact:
Priority:	low
Version:	7.3	CC:	apeetham, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sgoveas
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	sssd-1.15.2-2.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-08-01 08:58:07 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Niranjan Mallapadi Raghavender 2016-08-30 12:32:09 UTC

Description of problem:

When a group/users are invalidated from sss cache, the group/user information in Domain (cache_LDAP.ldb) and  timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. 

Version-Release number of selected component (if applicable):

sssd-client-1.14.0-30.el7.x86_64
sssd-dbus-1.14.0-30.el7.x86_64
python-sssdconfig-1.14.0-30.el7.noarch
sssd-ipa-1.14.0-30.el7.x86_64
sssd-tools-1.14.0-30.el7.x86_64
sssd-krb5-common-1.14.0-30.el7.x86_64
sssd-krb5-1.14.0-30.el7.x86_64
python-sss-1.14.0-30.el7.x86_64
libsss_autofs-1.14.0-30.el7.x86_64
libsss_nss_idmap-1.14.0-30.el7.x86_64
sssd-common-pac-1.14.0-30.el7.x86_64
sssd-ldap-1.14.0-30.el7.x86_64
sssd-proxy-1.14.0-30.el7.x86_64
sssd-debuginfo-1.14.0-30.el7.x86_64
libsss_idmap-1.14.0-30.el7.x86_64
sssd-ad-1.14.0-30.el7.x86_64
sssd-1.14.0-30.el7.x86_64
sssd-testlib-0.1-1.el7.noarch
sssd-common-1.14.0-30.el7.x86_64
libsss_simpleifp-1.14.0-30.el7.x86_64



Steps to Reproduce:
1. Configure an ldap server with users and groups , Example idm1 to idm8 and create groups idm_group1 to idm_group2 (having posix attributes)
2. Make idm1 user a member of idm_group1 member
3. Configure a RHEL7.3 client to authenticate to LDAP server 
[root@client1 db]# cat /etc/sssd/sssd.conf
[domain/LDAP]
cache_credentials = TRUE
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
chpass_provider = ldap
ldap_uri = ldaps://client2.example.test
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 0x0080

[sssd]
services = nss,pam
sbus_timeout = 30
config_file_version = 2
domains = LDAP
debug_level = 9

[nss]
filter_users = root,dbus,rpcuser,rpc,haldaemon,nobody,postfix,smmsp,nscd,ntp,apache
debug_level = 7



4. Restart cache. 

5. Query idm1 user and save it in cache
# getent passwd -s sss idm1
idm1:*:17583100:10001:IDM1 User:/home/idm1:/bin/bash
[root@client1 db]# getent passwd -s sss idm2
idm2:*:17583101:10002:IDM2 User:/home/idm2:/bin/bash
[root@client1 db]# getent group -s sss idm_group1
idm_group1:*:10001:idm1

6.  Enumerate Groups in domain cache using ldbtools

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
gidNumber: 10001
name: idm_group1@ldap
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
nameAlias: idm_group1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberuid: idm1@ldap
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

7.Enumerate users in domain cache using ldbtools

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
fullName: IDM1 User
gecos: IDM1 User
gidNumber: 10001
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1@ldap
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm1
nameAlias: idm1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
initgrExpireTimestamp: 1472564788
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559398
fullName: IDM2 User
gecos: IDM2 User
gidNumber: 10002
homeDirectory: /home/idm2
loginShell: /bin/bash
name: idm2@ldap
objectClass: user
uidNumber: 17583101
originalDN: uid=idm2,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm2
nameAlias: idm2@ldap
lastUpdate: 1472559398
dataExpireTimestamp: 1472564798
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb


8. Invalidate all users and group idm_group1

[root@client1 db]# sss_cache -U -g idm_group1

9. Check the Domain cache. 

ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
fullName: IDM1 User
gecos: IDM1 User
gidNumber: 10001
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1@ldap
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm1
nameAlias: idm1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
initgrExpireTimestamp: 1472564788
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559398
fullName: IDM2 User
gecos: IDM2 User
gidNumber: 10002
homeDirectory: /home/idm2
loginShell: /bin/bash
name: idm2@ldap
objectClass: user
uidNumber: 17583101
originalDN: uid=idm2,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm2
nameAlias: idm2@ldap
lastUpdate: 1472559398
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb

10. Check the timestamps cache

[root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
lastUpdate: 1472559388
objectClass: user
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
lastUpdate: 1472559398
objectClass: user
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb



11. Enumerate Domain cache  for groups

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
gidNumber: 10001
name: idm_group1@ldap
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
nameAlias: idm_group1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberuid: idm1@ldap
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

# record 2
dn: cn=groups,cn=LDAP,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP,cn=sysdb

12. Enumerate timestamps_LDAP.ldb cache to verify if Group information is in validated.


[root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
lastUpdate: 1472559388
objectClass: group
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

# record 2
dn: cn=groups,cn=LDAP,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP,cn=sysdb



Actual results:

The dataExpireTimestamp in timestamps_LDAP.ldb shows 1 when invalidated but dataExpireTimestamp in cache_LDAP.ldb shows dataExpireTimestamp: 1472564788


Expected results:


dataExpireTimestamp should be same in both the caches. 

Additional info:

Comment 2 Jakub Hrozek 2016-08-31 15:28:33 UTC

Judging by a quick test, I can reproduce

Comment 3 Jakub Hrozek 2016-08-31 15:29:36 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/3164

Comment 4 Jakub Hrozek 2016-09-06 07:04:32 UTC

*** Bug 1373293 has been marked as a duplicate of this bug. ***

Comment 5 Jakub Hrozek 2016-11-28 10:33:40 UTC

Petr will take a look out-of-band, but not critical enough to warrant an ack for now.

Comment 6 Jakub Hrozek 2017-03-23 08:05:13 UTC

master: 57a924e71230ea360b19a88e0d5818cf01017161

Comment 8 Niranjan Mallapadi Raghavender 2017-05-26 07:05:14 UTC

Versions:
sssd-common-pac-1.15.2-29.el7.x86_64
sssd-winbind-idmap-1.15.2-25.el7.x86_64
sssd-client-1.15.2-29.el7.x86_64
sssd-krb5-common-1.15.2-29.el7.x86_64
sssd-krb5-1.15.2-29.el7.x86_64
sssd-dbus-1.15.2-29.el7.x86_64
sssd-kcm-1.15.2-29.el7.x86_64
python-sssdconfig-1.15.2-29.el7.noarch
sssd-common-1.15.2-29.el7.x86_64
sssd-ad-1.15.2-29.el7.x86_64
sssd-proxy-1.15.2-29.el7.x86_64
sssd-1.15.2-29.el7.x86_64
sssd-ipa-1.15.2-29.el7.x86_64
sssd-tools-1.15.2-29.el7.x86_64
sssd-libwbclient-1.15.2-25.el7.x86_64
sssd-ldap-1.15.2-29.el7.x86_64

sssd.conf:
======

[sssd]
domains = EXAMPLE.TEST
config_file_version = 2
services = nss, pam

[domain/EXAMPLE.TEST]
id_provider = ldap
ldap_uri = ldaps://idm1.example.test
ldap_search_base = dc=example,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
auth_provider = ldap
debug_level = 9
cache_credentials = True
ldap_schema = rfc2307
chpass_provider = ldap

[nss]
filter_users = root,dbus,rpcuser,rpc,haldaemon,nobody,postfix,smmsp,nscd,ntp,apache
debug_level = 7


1. Add a user idm1 and idm_group1 on LDAP. 


2. Query the sss cache and verify both the user and group entries are cached.

[root@idm1 ~]# getent passwd -s sss idm1
idm1:*:17583100:19564100:idm1 User:/home/idm1:/bin/bash
[root@idm1 ~]# getent group -s sss idm_group1
idm_group1:*:19564100:idm1


3. Run ldbsearch tool and verify the cache entry

[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb"
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
createTimestamp: 1495781647
gidNumber: 19564100
name: idm_group1
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20170526065335Z
entryUSN: 20170526065335Z
member: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
nameAlias: idm_group1
lastUpdate: 1495781647
dataExpireTimestamp: 1495787047
memberuid: idm1
distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb


[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb"
asq: Unable to register control with rootdse!
# record 1
dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb

# record 2
dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
createTimestamp: 1495781641
fullName: idm1 User
gecos: idm1 User
gidNumber: 19564100
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20170526065050Z
entryUSN: 20170526065050Z
shadowLastChange: 17312
mail: idm1
nameAlias: idm1
isPosix: TRUE
lastUpdate: 1495781641
dataExpireTimestamp: 1495787041
memberof: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb



4. Invalidate the group idm_group1

[root@idm1 ~]# sss_cache -U -g idm_group1

5. Run ldbsearch against Domain cache and check if dataExpireTimestamp is 1. 

[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb"
asq: Unable to register control with rootdse!
# record 1
dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb

dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
createTimestamp: 1495781641
fullName: idm1 User
gecos: idm1 User
gidNumber: 19564100
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20170526065050Z
entryUSN: 20170526065050Z
shadowLastChange: 17312
mail: idm1
nameAlias: idm1
isPosix: TRUE
lastUpdate: 1495781641
memberof: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb


6. Verify against timestamp cache and check if the dataExpireTimestamp is 1 for users entry

[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/timestamps_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb"
# record 1
dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb

# record 2
dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
lastUpdate: 1495781641
objectClass: user
originalModifyTimestamp: 20170526065050Z
entryUSN: 20170526065050Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb

7. Check the same for Group entry in Domain Cache and timestamp cache. 

[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb"
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
createTimestamp: 1495781647
gidNumber: 19564100
name: idm_group1
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20170526065335Z
entryUSN: 20170526065335Z
member: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
nameAlias: idm_group1
lastUpdate: 1495781647
memberuid: idm1
dataExpireTimestamp: 1
distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb



[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/timestamps_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb"
# record 1
dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
lastUpdate: 1495781647
objectClass: group
originalModifyTimestamp: 20170526065335Z
entryUSN: 20170526065335Z
dataExpireTimestamp: 1
distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb

From the above output dataExpireTimestamp entry in both Domain and timestamp cache is consistent.

Comment 9 errata-xmlrpc 2017-08-01 08:58:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294