Bug 870505

Summary: sss_cache: Multiple domains not handled properly
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: apeetham, grajaiya, jgalipea, mzidek, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-7.el6 Doc Type: Bug Fix
Doc Text:
Cause: When SSSD is configured with multiple domains and sss_cache searched object only in the first configured domain and ignored the others. Consequence: Administrator couldn't use sss_cache on objects from arbitrary domain. Fix: sss_cache now searches all domains. Result: Administrator can use sss_cache on objects from arbitrary domain.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:39:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2012-10-26 17:06:37 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1608

If no objects for deletion were found in the currently searched sysdb database/domain, the other sysdb databases/domains were not searched at all.

How to reproduce:
1. configure sssd with two or more domains
2. get info about user/group that is not in the first domain (e.g. getent passwd user1)
3. remove the entry from cache using sss_cache tool (e.g. sss_cache -u user1)

Results:
sss_cache does not find the entry in the first domain and exits.

Expected result:
sss_cache should remove the entry from domain2 properly
Comment 2 Amith 2012-11-29 11:49:52 UTC 
Verified the BZ on SSSD version: sssd-1.9.2-27.el6

As part of testing, multiple domains LDAP1 and LDAP2 were setup in the sssd.conf file. sss_cache cmd was executed against the cached user from domain LDAP2 and as expected, the user got invalidated.

# sss_cache -u ssc_tempuser1
No such user named ssc_tempuser1 in domain LDAP1, skipping

# ldbsearch -H /var/lib/sss/db/cache_LDAP2.ldb name=ssc_tempuser1 dataExpireTimestamp
asq: Unable to register control with rootdse!
# record 1
dn: name=ssc_tempuser1,cn=users,cn=LDAP2,cn=sysdb
dataExpireTimestamp: 1

# returned 1 records
# 1 entries
# 0 referrals
Comment 3 errata-xmlrpc 2013-02-21 09:39:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html