Bug 649286

Summary: SSSD will sometimes lose groups from the cache
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.0CC: benl, borgan, dpal, grajaiya, jgalipea
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: 0day
Fixed In Version: sssd-1.2.1-33.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 649285 Environment:
Last Closed: 2011-05-19 11:39:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 649285    
Bug Blocks: 649312    

Description Stephen Gallagher 2010-11-03 13:10:04 UTC 
+++ This bug was initially created as a clone of Bug #649285 +++

Description of problem:
SSSD has a cleanup task that removes unreferenced groups from the cache in order to keep the cache size down. However, we were only checking for direct group memberships, and not for whether there were users who had this group as their primary group ID.

As a result, it is possible for SSSD to purge legitimate groups from the cache. This can cause issues with group-based access control permissions such as access.conf and sudoers.

Version-Release number of selected component (if applicable):
sssd-1.2.1-35.el5

How reproducible:
Consistently

Steps to Reproduce:
1. Create a new group on the LDAP server. Note its ID.
2. Create a new user on the LDAP server. Set its gidNumber attribute to match the ID of the group created earlier.
3. On the client, set ldap_purge_cache_timeout = 5 (this will reduce the time between cleanup tasks to five seconds, to illustrate the problem, normally it defaults to twelve hours). Restart the sssd and wait ten seconds (to ensure full startup is done)
4. On the client, run 'id username'. The user and group will be listed.
5. Sleep six seconds.
6. Run 'id username'. The user will be missing the group.
  
Actual results:
Groups that are only identified as a user's primary group are removed when the cache cleanup routine runs.

Expected results:
All groups referenced by cached users should be intact.

Additional info:
Upstream bug: https://fedorahosted.org/sssd/ticket/624
Patch is available.
Comment 3 Stephen Gallagher 2010-11-03 22:33:59 UTC 
Sorry, there's another step to reproduce: the entry itself needs to be expired. Add
entry_cache_timeout = 4
Comment 6 errata-xmlrpc 2011-05-19 11:39:39 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 7 errata-xmlrpc 2011-05-19 13:08:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html