Bug 1295883 - refresh_expired_interval stops sss_cache from working
refresh_expired_interval stops sss_cache from working
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.7
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Michal Zidek
Steeve Goveas
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-05 12:14 EST by ryaner
Modified: 2016-07-04 06:23 EDT (History)
10 users (show)

See Also:
Fixed In Version: sssd-1.13.3-12.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-10 16:26:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description ryaner 2016-01-05 12:14:22 EST
Description of problem:
Enabling 'refresh_expired_interval' in the domain/LDAP section stops calls to sss_cache from expiring data.

Version-Release number of selected component (if applicable):
sssd-1.12.4-47.el6_7.4.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. Setup sssd.conf against an ldap server. 
2. Add 'refresh_expired_interval = 1234' to the [domain/LDAP] section
3. Query a netgroup 
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)
4. Modify the group external to remove user3
5. Call sss_cache to expire the group
# sss_cache -n testgroup
6. Verify netgroup
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)

For this step I'm also watching the sssd_LDAP.log with debug=9. Following is the output during steps 4/5

(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x1477920
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [rotateLogs]
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [rotateLogs]
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x1477920
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]

Without 'refresh_expired_interval' set you can see if going off to the ldap server and re-caching results on the getent query and it returns the results correctly. 

The changelog for 1.12.5 does list some enhancements for 'refresh_expired_interval' so perhaps it is fixed there, but I don't have a Fedora system to test on.
Comment 2 Pavel Březina 2016-01-06 04:36:49 EST
We disable cache refresh for netgroups in commit f933190722886ff23eab8148b473915908bc8c23 if background refresh is enabled. The patch should disable only a midpoint refresh, but it seems that even refresh of expired records are disabled this way.
Comment 3 Pavel Březina 2016-01-06 04:40:00 EST
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2912
Comment 4 Jakub Hrozek 2016-01-20 13:40:27 EST
Michal, Pavel, can either of you provide steps to reproduce this bug?
Comment 5 Michal Zidek 2016-01-21 09:27:24 EST
Steps to reproduce:

1. Setup SSSD against LDAP or FreeIPA server with the following option in the domain section in sssd.conf:
refresh_expired_interval = 1234

3. Create a test netgroup with some users on the server

3. Query the created test netgroup
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)

4. Modify the test netgroup to remove one user

5. Call sss_cache to expire the group
# sss_cache -n testgroup

6. Query server for test netgroup again. Removed user should no longer be shown in the getent output.
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)
Comment 8 Lukas Slebodnik 2016-01-21 10:15:12 EST
master:
* 1b8858b1611db5048592f477059ca5ad66d7ceb1

sssd-1-13:
* 66c6bf86da1241c3253d23aa7e68850d6ec14d15
Comment 10 Amith 2016-03-17 03:29:15 EDT
Verified the bug on SSSD Version: sssd-1.13.3-21.el6.x86_64

Steps followed during verification were taken from Comment #5.
1. Create a netgroup in ldap server.
2. Configure sssd with "refresh_expired_interval = 1234" and query the netgroup.
3. Then, delete a netgroup user, clean the cache and query again to verify the presence of deleted user.

With the latest build, the bug looks resolved. See the commands below:

# service sssd status
sssd (pid  25553) is running...

# getent netgroup test-net
test-net              ( ,user1,) ( ,user2,) ( ,user3,)

# ldapmodify -xv -h hubcap.lab.eng.pnq.redhat.com -D "cn=Directory Manager" -w Secret123 -f netgroup-member-del.ldif 
ldap_initialize( ldap://hubcap.lab.eng.pnq.redhat.com )
delete nisNetgroupTriple:
	(,user3,)
modifying entry "cn=test-net,ou=Netgroup,dc=example,dc=com "
modify complete

[root@qe-blade-03 sssd]# sss_cache -n test-net

[root@qe-blade-03 sssd]# getent netgroup test-net
test-net              ( ,user1,) ( ,user2,)
Comment 12 errata-xmlrpc 2016-05-10 16:26:04 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html

Note You need to log in before you can comment on or make changes to this bug.