Bug 678412

Summary: name service caches names, so id command shows recently deleted users
Product: Red Hat Enterprise Linux 5 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.7CC: benl, dmitry.guryanov, dpal, grajaiya, jgalipea, jhrozek, msvoboda, prc, sbose, sgallagh, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.5.1-9.el5 Doc Type: Bug Fix
Doc Text:
Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.
 Story Points: ---
Clone Of: 677768 Environment:
Last Closed: 2011-07-21 08:09:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 677768    
Bug Blocks: 678410    

Description Stephen Gallagher 2011-02-17 20:51:30 UTC 
+++ This bug was initially created as a clone of Bug #677768 +++

Description of problem:
If you looked up some info using unix commands, like id or groups and then changed it using freeipa command - later calls to id will show outdated information:

[root@ipaserver ~]# ipa user-add --first=x --last=y myuser5
--------------------
Added user "myuser5"
--------------------
  User login: myuser5
  First name: x
  Last name: y
  Full name: x y
  Display name: x y
  Initials: xy
  Home directory: /home/myuser5
  GECOS field: myuser5
  Login shell: /bin/sh
  Kerberos principal: myuser5
  UID: 334400018
[root@ipaserver ~]# id myuser5
uid=334400018(myuser5) gid=334400018(myuser5) группы=334400018(myuser5),334400001(ipausers)
[root@ipaserver ~]# ipa user-del myuser5
----------------------
Deleted user "myuser5"
----------------------
[root@ipaserver ~]# id myuser5
uid=334400018(myuser5) gid=334400018(myuser5) группы=334400018(myuser5),334400001(ipausers)





Version-Release number of selected component (if applicable):
389-ds-base-1.2.8-0.2.a2.fc15.1.x86_64
freeipa-admintools-2.0.0.rc1-0.fc15.x86_64
sssd-tools-1.5.1-7.fc15.x86_64
freeipa-client-2.0.0.rc1-0.fc15.x86_64
freeipa-server-2.0.0.rc1-0.fc15.x86_64
sssd-1.5.1-7.fc15.x86_64
sssd-debuginfo-1.5.1-7.fc15.x86_64
freeipa-python-2.0.0.rc1-0.fc15.x86_64
freeipa-server-selinux-2.0.0.rc1-0.fc15.x86_64
sssd-client-1.5.1-7.fc15.x86_64


How reproducible:
always

Steps to Reproduce:
1. create user using ipa user-add command, myuser for example
2. type 'id myuser'
3. type ipa user-del 'myuser'
4. type 'id myuser' again - it will show deleted user
  
Actual results:
unix command show some cached info

Expected results:
unix commands always shows up-to-date information about users and groups

--- Additional comment from ssorce on 2011-02-16 08:34:59 EST ---

I was going to reply that as soon as the deleted user attempts to login, it will be refreshed from ldap, found to be deleted and not reported any more.
Except I have just tested this and it doesn't work.

Reassigning to sssd.
Comment 2 Jenny Severance 2011-05-27 17:23:15 UTC 
Environment:

IPA Server RHEL 6.1
IPA Client RHEL 5.7

1) add ipa user from server

# ipa user-add --first myuser --last myuser myuser
-------------------
Added user "myuser"
-------------------
  User login: myuser
  First name: myuser
  Last name: myuser
  Full name: myuser myuser
  Display name: myuser myuser
  Initials: mm
  Home directory: /home/myuser
  GECOS field: myuser
  Login shell: /bin/sh
  Kerberos principal: myuser@TESTRELM
  UID: 239400003

2) from client id user

# id myuser
uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh

3) From server delete user

# ipa user-del myuser
---------------------
Deleted user "myuser"
---------------------

4) from client id user

# id myuser
uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh


wait a couple minutes ...

# id myuser
uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh

wait 5 more minutes
# id myuser
uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh



Versions:

CLIENT
ipa-client-2.0-14.el5
sssd-1.5.1-35.el5

SERVER
ipa-server-2.0.0-23.el6.x86_64
Comment 3 Jenny Severance 2011-05-27 17:41:27 UTC 
Default entry cache time out is 90 minutes, in order for the cache for that user to be update (user removed) need to attempt login as the deleted user ...

subsequent steps ,...

ssh myuser@hostname
myuser@hostname's password: 
Permission denied, please try again.


log back in and id my user

# id myuser
id: myuser: No such user
Comment 4 Miroslav Svoboda 2011-07-15 13:26:35 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.
Comment 5 errata-xmlrpc 2011-07-21 08:09:13 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0975.html