Bug 772297
Summary: | Fails to update if all nisNetgroupTriple or memberNisNetgroup entries are deleted from a netgroup. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Kaushik Banerjee <kbanerje> |
Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | dpal, grajaiya, jgalipea, joe.jin, jzeleny, prc, shaines, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.8.0-5.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: the function for storing netgroups in SSSD cache didn't check for attributes that are in sysdb but aren't in ldap response from the server.
Consequence: if a netgroup has been cached by SSSD and it changed on the server in a way that it missed all triples, this change wouldn't be projected in the cache
Fix: always check for attributes that are missing from the LDAP response when saving netgroup
Result: query for netgroups returns correct set of triples even if it contains none
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 11:51:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kaushik Banerjee
2012-01-06 17:48:16 UTC
Just to confirm: Does it work properly if some (but not all) of the nisNetgroupTriple or memberNisNetgroup entries are removed? Rephrased: does it only occur when ALL entries are removed? (In reply to comment #1) > Just to confirm: Does it work properly if some (but not all) of the > nisNetgroupTriple or memberNisNetgroup entries are removed? Yes. > > Rephrased: does it only occur when ALL entries are removed? Yes This bug was initially reported by "email" on sssd-devel list at "https://fedorahosted.org/pipermail/sssd-devel/2012-January/008002.html". I performed the tests as described in the thread and could successfully reproduce this. I have raised a bugzilla with all the necessary information. Would like to thank Joe.Jin for reporting this. Upstream ticket: https://fedorahosted.org/sssd/ticket/1136 I tried to call sysdb_remove_attrs() in either sysdb_add_netgroup() or sdap_save_netgroup(), when the attr empty, but always return FAILED, any comments? Thanks, Joe (In reply to comment #6) > I tried to call sysdb_remove_attrs() in either sysdb_add_netgroup() or > sdap_save_netgroup(), > when the attr empty, but always return FAILED, any comments? What was the failure error code? Also, did you use SYSDB_MOD_REPLACE or SYSDB_MOD_DEL? The latter is probably what you were looking for. Verified. Version :: sssd-1.8.0-15.el6.x86_64 Automated Test Results :: There was a bug in the automated test when run. It was missing the code to add the entry_cache_timeout to sssd.conf. That has been added and this is a manual run of the automation: [root@hp-xw6600-01 ipa-netgroup-cli]# netgroup_bz_772297 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: netgroup_bz_772297: Fails to update if all nisNetgroupTriple or memberNisNetgroup entries are deleted from a netgroup :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running '/bin/cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.netgroup_bz_772297.backup' :: [11:22:23] :: Running: sed -i 's/\(\[domain.*\]\)$/\1 entry_cache_timeout = 120/' /etc/sssd/sssd.conf [domain/testrelm.com] entry_cache_timeout = 120 entry_cache_timeout = 120 debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = hp-xw6600-01.testrelm.com chpass_provider = ipa ipa_server = hp-xw6600-01.testrelm.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = testrelm.com [nss] [pam] [sudo] [autofs] [ssh] :: [ PASS ] :: Running 'cat /etc/sssd/sssd.conf' Stopping sssd: [ OK ] [ OK ] sssd: [ OK ] :: [ PASS ] :: Running 'service sssd restart' -------------------- Added user "nguser1" -------------------- User login: nguser1 First name: TEST Last name: USER Full name: TEST USER Display name: TEST USER Initials: TU Home directory: /home/nguser1 GECOS field: TEST USER Login shell: /bin/sh Kerberos principal: nguser1 UID: 588200022 GID: 588200022 Password: False Kerberos keys available: False :: [ PASS ] :: Running 'ipa user-add nguser1 --first=TEST --last=USER' -------------------- Added user "nguser2" -------------------- User login: nguser2 First name: TEST Last name: USER Full name: TEST USER Display name: TEST USER Initials: TU Home directory: /home/nguser2 GECOS field: TEST USER Login shell: /bin/sh Kerberos principal: nguser2 UID: 588200023 GID: 588200023 Password: False Kerberos keys available: False :: [ PASS ] :: Running 'ipa user-add nguser2 --first=TEST --last=USER' -------------------- Added user "nguser3" -------------------- User login: nguser3 First name: TEST Last name: USER Full name: TEST USER Display name: TEST USER Initials: TU Home directory: /home/nguser3 GECOS field: TEST USER Login shell: /bin/sh Kerberos principal: nguser3 UID: 588200024 GID: 588200024 Password: False Kerberos keys available: False :: [ PASS ] :: Running 'ipa user-add nguser3 --first=TEST --last=USER' ------------------------ Added netgroup "usersng" ------------------------ Netgroup name: usersng Description: users NIS domain name: testrelm.com IPA unique ID: ae33307e-7369-11e1-9717-0019bbea4c2b :: [ PASS ] :: Running 'ipa netgroup-add usersng --desc=users' Netgroup name: usersng Description: users NIS domain name: testrelm.com Member User: nguser1, nguser2, nguser3 ------------------------- Number of members added 3 ------------------------- :: [ PASS ] :: Running 'ipa netgroup-add-member usersng --users=nguser1,nguser2,nguser3' ------------------ 1 netgroup matched ------------------ Netgroup name: usersng Description: users NIS domain name: testrelm.com Member User: nguser1, nguser2, nguser3 ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Running 'ipa netgroup-find --users=nguser1,nguser2,nguser3' dn: cn=usersng,cn=ng,cn=compat,dc=testrelm,dc=com objectClass: nisNetgroup objectClass: top nisNetgroupTriple: (-,nguser1,testrelm.com) nisNetgroupTriple: (-,nguser2,testrelm.com) nisNetgroupTriple: (-,nguser3,testrelm.com) cn: usersng dn: ipaUniqueID=ae33307e-7369-11e1-9717-0019bbea4c2b,cn=ng,cn=alt,dc=testrelm, dc=com objectClass: ipaobject objectClass: ipaassociation objectClass: ipanisnetgroup cn: usersng description: users nisDomainName: testrelm.com ipaUniqueID: ae33307e-7369-11e1-9717-0019bbea4c2b :: [ PASS ] :: Running 'ldapsearch -x -LLL -b dc=testrelm,dc=com cn=usersng' usersng (-, nguser1, testrelm.com) (-, nguser2, testrelm.com) (-, nguser3, testrelm.com) :: [ PASS ] :: Running 'getent -s sss netgroup usersng' Netgroup name: usersng Description: users NIS domain name: testrelm.com --------------------------- Number of members removed 3 --------------------------- :: [ PASS ] :: Running 'ipa netgroup-remove-member usersng --users=nguser1,nguser2,nguser3' :: [ PASS ] :: Running 'sleep 120' :: [ PASS ] :: BZ 772297 not found. dn: cn=usersng,cn=ng,cn=compat,dc=testrelm,dc=com objectClass: nisNetgroup objectClass: top cn: usersng dn: ipaUniqueID=ae33307e-7369-11e1-9717-0019bbea4c2b,cn=ng,cn=alt,dc=testrelm, dc=com objectClass: ipaobject objectClass: ipaassociation objectClass: ipanisnetgroup cn: usersng description: users nisDomainName: testrelm.com ipaUniqueID: ae33307e-7369-11e1-9717-0019bbea4c2b :: [ PASS ] :: Running 'ldapsearch -x -LLL -b "dc=testrelm,dc=com" cn=usersng' ---------------------- Deleted user "nguser1" ---------------------- :: [ PASS ] :: Running 'ipa user-del nguser1' ---------------------- Deleted user "nguser2" ---------------------- :: [ PASS ] :: Running 'ipa user-del nguser2' ---------------------- Deleted user "nguser3" ---------------------- :: [ PASS ] :: Running 'ipa user-del nguser3' -------------------------- Deleted netgroup "usersng" -------------------------- :: [ PASS ] :: Running 'ipa netgroup-del usersng' :: [ PASS ] :: Running '/bin/cp -f /etc/sssd/sssd.conf.netgroup_bz_772297.backup /etc/sssd/sssd.conf' :: [ PASS ] :: Running '/bin/rm /etc/sssd/sssd.conf.netgroup_bz_772297.backup' :: [ PASS ] :: Running 'chmod 0600 /etc/sssd/sssd.conf' Stopping sssd: [ OK ] [ OK ] sssd: [ OK ] :: [ PASS ] :: Running 'service sssd restart' Manual Test Results :: # ipa user-add testuser1 --first=First --last=Last ---------------------- Added user "testuser1" ---------------------- User login: testuser1 First name: First Last name: Last Full name: First Last Display name: First Last Initials: FL Home directory: /home/testuser1 GECOS field: First Last Login shell: /bin/sh Kerberos principal: testuser1 UID: 588200025 GID: 588200025 Password: False Kerberos keys available: False # ipa user-add testuser2 --first=First --last=Last ---------------------- Added user "testuser2" ---------------------- User login: testuser2 First name: First Last name: Last Full name: First Last Display name: First Last Initials: FL Home directory: /home/testuser2 GECOS field: First Last Login shell: /bin/sh Kerberos principal: testuser2 UID: 588200026 GID: 588200026 Password: False Kerberos keys available: False # ipa user-add testuser3 --first=First --last=Last ---------------------- Added user "testuser3" ---------------------- User login: testuser3 First name: First Last name: Last Full name: First Last Display name: First Last Initials: FL Home directory: /home/testuser3 GECOS field: First Last Login shell: /bin/sh Kerberos principal: testuser3 UID: 588200027 GID: 588200027 Password: False Kerberos keys available: False # ipa netgroup-add testng --desc=usersnetgroup ----------------------- Added netgroup "testng" ----------------------- Netgroup name: testng Description: usersnetgroup NIS domain name: testrelm.com IPA unique ID: 82983668-736d-11e1-bbe4-0019bbea4c2b # ipa netgroup-add-member testng --users=testuser1,testuser2,testuser3 Netgroup name: testng Description: usersnetgroup NIS domain name: testrelm.com Member User: testuser1, testuser2, testuser3 ------------------------- Number of members added 3 ------------------------- # ipa netgroup-find --users=testuser1,testuser2,testuser3 ------------------ 1 netgroup matched ------------------ Netgroup name: testng Description: usersnetgroup NIS domain name: testrelm.com Member User: testuser1, testuser2, testuser3 ---------------------------- Number of entries returned 1 ---------------------------- # ldapsearch -x -LLL -b "dc=testrelm,dc=com" cn=testng dn: cn=testng,cn=ng,cn=compat,dc=testrelm,dc=com objectClass: nisNetgroup objectClass: top nisNetgroupTriple: (-,testuser1,testrelm.com) nisNetgroupTriple: (-,testuser2,testrelm.com) nisNetgroupTriple: (-,testuser3,testrelm.com) cn: testng dn: ipaUniqueID=82983668-736d-11e1-bbe4-0019bbea4c2b,cn=ng,cn=alt,dc=testrelm, dc=com objectClass: ipaobject objectClass: ipaassociation objectClass: ipanisnetgroup cn: testng description: usersnetgroup nisDomainName: testrelm.com ipaUniqueID: 82983668-736d-11e1-bbe4-0019bbea4c2b # sed -i 's/\(\[domain.*\]\)$/\1\nentry_cache_timeout = 120/' /etc/sssd/sssd.conf # cat /etc/sssd/sssd.conf [domain/testrelm.com] entry_cache_timeout = 120 entry_cache_timeout = 120 debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = hp-xw6600-01.testrelm.com chpass_provider = ipa ipa_server = hp-xw6600-01.testrelm.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = testrelm.com [nss] [pam] [sudo] [autofs] [ssh] # vi /etc/sssd/sssd.conf # cat /etc/sssd/sssd.conf [domain/testrelm.com] entry_cache_timeout = 120 debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = hp-xw6600-01.testrelm.com chpass_provider = ipa ipa_server = hp-xw6600-01.testrelm.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = testrelm.com [nss] [pam] [sudo] [autofs] [ssh] # service sssd restart Stopping sssd: [ OK ] [ OK ] sssd: [ OK ] # getent -s sss netgroup testng testng (-, testuser1, testrelm.com) (-, testuser2, testrelm.com) (-, testuser3, testrelm.com) # ipa netgroup-remove-member testng --users=testuser1,testuser2,testuser3 Netgroup name: testng Description: usersnetgroup NIS domain name: testrelm.com --------------------------- Number of members removed 3 --------------------------- # sleep 120 # getent -s sss netgroup testng testng Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: the function for storing netgroups in SSSD cache didn't check for attributes that are in sysdb but aren't in ldap response from the server. Consequence: if a netgroup has been cached by SSSD and it changed on the server in a way that it missed all triples, this change wouldn't be projected in the cache Fix: always check for attributes that are missing from the LDAP response when saving netgroup Result: query for netgroups returns correct set of triples even if it contains none Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html |