Bug 649285

Summary: SSSD will sometimes lose groups from the cache
Product: Red Hat Enterprise Linux 5 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 5.6CC: benl, dpal, jgalipea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.2.1-26.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 649286 (view as bug list) Environment:
Last Closed: 2011-01-13 22:37:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 649286    

Description Stephen Gallagher 2010-11-03 13:09:16 UTC 
Description of problem:
SSSD has a cleanup task that removes unreferenced groups from the cache in order to keep the cache size down. However, we were only checking for direct group memberships, and not for whether there were users who had this group as their primary group ID.

As a result, it is possible for SSSD to purge legitimate groups from the cache. This can cause issues with group-based access control permissions such as access.conf and sudoers.

Version-Release number of selected component (if applicable):
sssd-1.2.1-35.el5

How reproducible:
Consistently

Steps to Reproduce:
1. Create a new group on the LDAP server. Note its ID.
2. Create a new user on the LDAP server. Set its gidNumber attribute to match the ID of the group created earlier.
3. On the client, set ldap_purge_cache_timeout = 5 (this will reduce the time between cleanup tasks to five seconds, to illustrate the problem, normally it defaults to twelve hours). Restart the sssd and wait ten seconds (to ensure full startup is done)
4. On the client, run 'id username'. The user and group will be listed.
5. Sleep six seconds.
6. Run 'id username'. The user will be missing the group.
  
Actual results:
Groups that are only identified as a user's primary group are removed when the cache cleanup routine runs.

Expected results:
All groups referenced by cached users should be intact.

Additional info:
Upstream bug: https://fedorahosted.org/sssd/ticket/624
Patch is available.
Comment 4 errata-xmlrpc 2011-01-13 22:37:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0044.html