Bug 1726945

Summary: negative cache does not use values from 'filter_users' config option for known domains
Product: Red Hat Enterprise Linux 8 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: amore, grajaiya, jhrozek, ksiddiqu, lslebodn, mzidek, pbrezina, sbose, sgoveas, sorlov, sssd-qe, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.2.0-6.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1724088 Environment:
Last Closed: 2019-11-05 22:34:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1724088    
Bug Blocks:    

Comment 1 Jakub Hrozek 2019-07-25 19:50:52 UTC 
Steeve/Anuja, do we still want the fix in 8.1? I would say yes, but if you agree, can you ack the bug, please?
Comment 2 Kaleem 2019-08-01 14:56:25 UTC 
Jakub,

Adding the ack.
Comment 4 Sergey Orlov 2019-09-06 14:45:18 UTC 
Failed to verify the fix.

System information:
# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.1 Beta (Ootpa)

# rpm -q sssd-common
sssd-common-2.2.0-19.el8.x86_64

# grep -B1  filter_user /etc/sssd/sssd.conf
[domain/testrelm.test]
filter_user = testuser

# grep -B1 debug /etc/sssd/sssd.conf 
[nss]
debug_level = 9

# ipa config-show | grep resolution
  Domain resolution order: ad.test

# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-622203625-2864379380-2354941926
  Trust type: Active Directory domain
  UPN suffixes: UPNsuffix.com
----------------------------
Number of entries returned 1
----------------------------

# ipa trustdomain-find ad.test
  Domain name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-622203625-2864379380-2354941926
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------


Test script:
systemctl stop sssd
ipactl stop
rm -rf /var/lib/sss/{db,mc}/*
rm -f /var/log/sssd/sssd_nss.log
systemctl start sssd
ipactl start
while ! sssctl domain-list | grep ad.test; do echo -n .; sleep 1; done
grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser || echo User not requested yet
id testuser
grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser

Script output (executed 3 times with same result):
# systemctl stop sssd
# ipactl stop
...
ipa: INFO: The ipactl command was successful
# rm -rf /var/lib/sss/{db,mc}/*
# rm -f /var/log/sssd/sssd_nss.log
# systemctl start sssd
# ipactl start
...
ipa: INFO: The ipactl command was successful
# while ! sssctl domain-list | grep ad.test; do echo -n .; sleep 1; done
..........................................ad.test
# grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser || echo User not requested yet
User not requested yet
# id testuser
id: ‘testuser’: no such user
# grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser
(Fri Sep  6 16:35:53 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #56: Looking up [testuser] in data provider
(Fri Sep  6 16:35:53 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #56: Looking up [testuser] in data provider
(Fri Sep  6 16:35:53 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #56: Looking up [testuser] in data provider
(Fri Sep  6 16:35:53 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #56: Looking up [testuser] in data provider


I also executed modified script -- with sleep after sssd finds AD domain:
systemctl stop sssd
ipactl stop
rm -rf /var/lib/sss/{db,mc}/*
rm -f /var/log/sssd/sssd_nss.log
systemctl start sssd
ipactl start
while ! sssctl domain-list | grep ad.test; do echo -n .; sleep 1; done
sleep 10
grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser || echo User not requested yet
id testuser
grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser

Output:
# systemctl stop sssd
# ipactl stop
...
ipa: INFO: The ipactl command was successful
# rm -rf /var/lib/sss/{db,mc}/*
# rm -f /var/log/sssd/sssd_nss.log
# systemctl start sssd
# ipactl start
...
ipa: INFO: The ipactl command was successful
# while ! sssctl domain-list | grep ad.test; do echo -n .; sleep 1; done
.........................................ad.test
# sleep 10
# grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser || echo User not requested yet
User not requested yet
# id testuser
id: ‘testuser’: no such user
# grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser
(Fri Sep  6 16:40:32 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #54: Looking up [testuser] in data provider
(Fri Sep  6 16:40:32 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #54: Looking up [testuser] in data provider
(Fri Sep  6 16:40:32 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #54: Looking up [testuser] in data provider
(Fri Sep  6 16:40:32 2019) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #54: Looking up [testuser] in data provider


So I suspect two problems here: 
1. filter_user is not working
2. sssd fails to fetch user immediately after it finds the trusted domain
Comment 5 Sumit Bose 2019-09-06 17:38:31 UTC 
Hi,

can you please try again, the option is called 'filter_users' and it is an option for the [nss] section, please see man sssd.conf for details.

bye,
Sumit
Comment 6 Sergey Orlov 2019-09-09 09:26:01 UTC 
Reading man page:
1. Option name is filter_users, not filter_user, my bad
2. Option can be in nss and in domain sections. Using the first option.

Also I contacted Anuja, she said that the original bug was about full-qualified UPN in filter_users.

The fix is verified now.

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.1 Beta (Ootpa)

# rpm -q sssd-common
sssd-common-2.2.0-19.el8.x86_64

# grep -B4  filter_user /etc/sssd/sssd.conf
[nss]
debug_level = 9
homedir_substring = /home
memcache_timeout = 600
filter_users = testuser

# ipa config-show | grep resolution
  Domain resolution order: ad.test:testrelm.test

Verification script: 
systemctl stop sssd
ipactl stop
rm -rf /var/lib/sss/{db,mc}/*
rm -f /var/log/sssd/sssd_nss.log
systemctl start sssd
ipactl start
while ! sssctl domain-list | grep ad.test; do echo -n .; sleep 1; done
grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser || echo User not requested yet
id testuser
grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser || echo User not requested

Output: 
# systemctl stop sssd
# ipactl stop
...
ipa: INFO: The ipactl command was successful
# rm -rf /var/lib/sss/{db,mc}/*
# rm -f /var/log/sssd/sssd_nss.log
# systemctl start sssd
# ipactl start
...
ipa: INFO: The ipactl command was successful
# while ! sssctl domain-list | grep ad.test; do echo -n .; sleep 1; done
.....................................................................ad.test
# grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser || echo User not requested yet
User not requested yet
# id testuser
id: ‘testuser’: no such user
# grep cache_req_search_dp /var/log/sssd/sssd_nss.log  | grep testuser || echo User not requested
User not requested
Comment 8 errata-xmlrpc 2019-11-05 22:34:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3651