Bug 746181
| Summary: | "getgrgid call returned more than one result" after group name change in MSAD | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Kemot1000 <kemot1000> |
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | dpal, grajaiya, jgalipea, jzeleny, kbanerje, prc |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.8.0-2.el6.beta2 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: when we were adding new group to SSSD cache, we weren't checking if another group with the same GID was already in the database
Consequence: if another group with the same GID already existed in the cache when we were trying to add a new one, both groups would continue to exist in the cache which would be obviously problematic if the original no longer existed on the server
Fix: when adding new group to the cache, delete any group with the same id that is already in the cache
Result: only one group with one GID exists in the database. Therefore multiple groups won't be returned to client in case a group was renamed
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 11:48:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 736857, 756082 | ||
|
Description
Kemot1000
2011-10-14 09:24:45 UTC
The reason that SSSD behaves in a case-sensitive manner because this is mandated by the POSIX specification. All glibc interfaces for users and groups are case-sensitive, and therefore we must be also. We have an open ticket to behave better in environments like AD which are case-insensitive: https://fedorahosted.org/sssd/ticket/890 The idea here will be to force all identifiers to lower-case on the client machine, regardless of their case on the server. You *have* identified a rather odd bug in the getgrgid() code though. If you were looking up a group directly by GID, it should have completely replaced the old entry in the cache. Upstream ticket: https://fedorahosted.org/sssd/ticket/1040 (In reply to comment #2) What do you mean? > If you were looking up a group directly by GID, it should have completely > replaced the old entry in the cache. Is there any way to force cache entry to be replaced during next lookup involving user / group that changed in domain? Sorry, I phrased that poorly. There's a bug in our code in that it only checks whether the current name already exists in our cache. It doesn't check for entries with the same ID. I've opened ticket 1040 upstream to fix this.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: when we were adding new group to SSSD cache, we weren't checking if another group with the same GID was already in the database
Consequence: if another group with the same GID already existed in the cache when we were trying to add a new one, both groups would continue to exist in the cache which would be obviously problematic if the original no longer existed on the server
Fix: when adding new group to the cache, delete any group with the same id that is already in the cache
Result: only one group with one GID exists in the database. Therefore multiple groups won't be returned to client in case a group was renamed
Verified in sssd-1.8.0-25 Steps to verify: 1. Add a group USER11_GRP1 2. Configure sssd with enumerate=true and check the enumerated result. # getent group | grep -i user11_grp1 USER11_GRP1:*:11039:user11 3. Rename the group to lowercase i.e. user11_grp1 4. After the next enumeration refresh, check the result again # getent group | grep -i user11_grp1 user11_grp1:*:11039:user11 Retested with sssd-1.8.0-27. With uppercase groupname: # getent group | grep -i user11_grp1 USER11_GRP1:*:11039:user11 After renaming to lowercased name: # getent group | grep -i user11_grp1 user11_grp1:*:11039:user11 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html |