Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
After the memcache expired, a group will be missing in subsequence query
Version-Release number of selected component (if applicable):
sssd-1.16.4-35.el7.x86_64
How reproducible:
Always
Steps to Reproduce:
0. Install ipa-server-trust-ad and execute ipa-adtrust-install
1. Make users/groups as follows.
ipa user-add ad_user --first foo --last bar --gid 11111
ipa group-add ad_group
ipa group-add-member ad_group --users=ad_user
ipa group-add ex_user --external
ipa group-add ex_group --external
ipa group-add-member ex_user --users=ad_user
ipa group-add-member ex_group --external=ad_group --groups=ad_group
ipa group-add group_a
ipa group-add group_b
ipa group-add-member group_a --groups=ex_user --groups=ex_group
ipa group-add-member group_b --groups=ex_user --groups=ex_group
2. Disable the memcache_timeout
This is to make the bug occur faster.
Either:
a. Set "memcache_timeout = 0" in sssd.conf
b. export SSS_NSS_USE_MEMCACHE=NO
3. Clear sssd cache and restart
# systemctl stop sssd ; rm -rf /var/lib/sss/{mc,db}/* ; systemctl start sssd
4. i=0; while : ; do date; strace -o /tmp/id_ad_user.$i id ad_user ; sleep 2 ; : $((i++)); done
Actual results:
One group (group_b) is missing:
[...date..]
uid=180600025(ad_user) gid=11111 groups=11111,180600027(group_a),180600028(group_b),180600026(ad_group)
[..another date..]
uid=180600025(ad_user) gid=11111 groups=11111,180600026(ad_group),180600027(group_a)
Expected results:
All group should be there:
[...date..]
uid=180600025(ad_user) gid=11111 groups=11111,180600027(group_a),180600028(group_b),180600026(ad_group)
[..another date..]
uid=180600025(ad_user) gid=11111 groups=11111,180600027(group_a),180600028(group_b),180600026(ad_group)
Additional info:
1. Setting longer memcache_timeout will mitigate the problem, but that is not desirable because
it does not reflect the user or group modification.
2. A user mentioned that:
The bug can be reproduced between:
RHEL7.3 ~ RHEL7.8 beta
But working fine with
RHEL7.2, RHEL8.2 alpha
Description of problem: After the memcache expired, a group will be missing in subsequence query Version-Release number of selected component (if applicable): sssd-1.16.4-35.el7.x86_64 How reproducible: Always Steps to Reproduce: 0. Install ipa-server-trust-ad and execute ipa-adtrust-install 1. Make users/groups as follows. ipa user-add ad_user --first foo --last bar --gid 11111 ipa group-add ad_group ipa group-add-member ad_group --users=ad_user ipa group-add ex_user --external ipa group-add ex_group --external ipa group-add-member ex_user --users=ad_user ipa group-add-member ex_group --external=ad_group --groups=ad_group ipa group-add group_a ipa group-add group_b ipa group-add-member group_a --groups=ex_user --groups=ex_group ipa group-add-member group_b --groups=ex_user --groups=ex_group 2. Disable the memcache_timeout This is to make the bug occur faster. Either: a. Set "memcache_timeout = 0" in sssd.conf b. export SSS_NSS_USE_MEMCACHE=NO 3. Clear sssd cache and restart # systemctl stop sssd ; rm -rf /var/lib/sss/{mc,db}/* ; systemctl start sssd 4. i=0; while : ; do date; strace -o /tmp/id_ad_user.$i id ad_user ; sleep 2 ; : $((i++)); done Actual results: One group (group_b) is missing: [...date..] uid=180600025(ad_user) gid=11111 groups=11111,180600027(group_a),180600028(group_b),180600026(ad_group) [..another date..] uid=180600025(ad_user) gid=11111 groups=11111,180600026(ad_group),180600027(group_a) Expected results: All group should be there: [...date..] uid=180600025(ad_user) gid=11111 groups=11111,180600027(group_a),180600028(group_b),180600026(ad_group) [..another date..] uid=180600025(ad_user) gid=11111 groups=11111,180600027(group_a),180600028(group_b),180600026(ad_group) Additional info: 1. Setting longer memcache_timeout will mitigate the problem, but that is not desirable because it does not reflect the user or group modification. 2. A user mentioned that: The bug can be reproduced between: RHEL7.3 ~ RHEL7.8 beta But working fine with RHEL7.2, RHEL8.2 alpha