Bug 1295883 - refresh_expired_interval stops sss_cache from working
Summary: refresh_expired_interval stops sss_cache from working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.7
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Michal Zidek
QA Contact: Steeve Goveas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-05 17:14 UTC by ryaner
Modified: 2016-07-04 10:23 UTC (History)
10 users (show)

Fixed In Version: sssd-1.13.3-12.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-10 20:26:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0782 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-05-10 22:36:00 UTC

Description ryaner 2016-01-05 17:14:22 UTC
Description of problem:
Enabling 'refresh_expired_interval' in the domain/LDAP section stops calls to sss_cache from expiring data.

Version-Release number of selected component (if applicable):
sssd-1.12.4-47.el6_7.4.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. Setup sssd.conf against an ldap server. 
2. Add 'refresh_expired_interval = 1234' to the [domain/LDAP] section
3. Query a netgroup 
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)
4. Modify the group external to remove user3
5. Call sss_cache to expire the group
# sss_cache -n testgroup
6. Verify netgroup
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)

For this step I'm also watching the sssd_LDAP.log with debug=9. Following is the output during steps 4/5

(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x1477920
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [rotateLogs]
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Jan  5 16:59:38 2016) [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [rotateLogs]
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x1477920
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Tue Jan  5 16:59:39 2016) [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]

Without 'refresh_expired_interval' set you can see if going off to the ldap server and re-caching results on the getent query and it returns the results correctly. 

The changelog for 1.12.5 does list some enhancements for 'refresh_expired_interval' so perhaps it is fixed there, but I don't have a Fedora system to test on.

Comment 2 Pavel Březina 2016-01-06 09:36:49 UTC
We disable cache refresh for netgroups in commit f933190722886ff23eab8148b473915908bc8c23 if background refresh is enabled. The patch should disable only a midpoint refresh, but it seems that even refresh of expired records are disabled this way.

Comment 3 Pavel Březina 2016-01-06 09:40:00 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2912

Comment 4 Jakub Hrozek 2016-01-20 18:40:27 UTC
Michal, Pavel, can either of you provide steps to reproduce this bug?

Comment 5 Michal Zidek 2016-01-21 14:27:24 UTC
Steps to reproduce:

1. Setup SSSD against LDAP or FreeIPA server with the following option in the domain section in sssd.conf:
refresh_expired_interval = 1234

3. Create a test netgroup with some users on the server

3. Query the created test netgroup
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)

4. Modify the test netgroup to remove one user

5. Call sss_cache to expire the group
# sss_cache -n testgroup

6. Query server for test netgroup again. Removed user should no longer be shown in the getent output.
# getent netgroup testgroup
testgroup ( ,user1,) ( ,user2,) ( ,user3,)

Comment 8 Lukas Slebodnik 2016-01-21 15:15:12 UTC
master:
* 1b8858b1611db5048592f477059ca5ad66d7ceb1

sssd-1-13:
* 66c6bf86da1241c3253d23aa7e68850d6ec14d15

Comment 10 Amith 2016-03-17 07:29:15 UTC
Verified the bug on SSSD Version: sssd-1.13.3-21.el6.x86_64

Steps followed during verification were taken from Comment #5.
1. Create a netgroup in ldap server.
2. Configure sssd with "refresh_expired_interval = 1234" and query the netgroup.
3. Then, delete a netgroup user, clean the cache and query again to verify the presence of deleted user.

With the latest build, the bug looks resolved. See the commands below:

# service sssd status
sssd (pid  25553) is running...

# getent netgroup test-net
test-net              ( ,user1,) ( ,user2,) ( ,user3,)

# ldapmodify -xv -h hubcap.lab.eng.pnq.redhat.com -D "cn=Directory Manager" -w Secret123 -f netgroup-member-del.ldif 
ldap_initialize( ldap://hubcap.lab.eng.pnq.redhat.com )
delete nisNetgroupTriple:
	(,user3,)
modifying entry "cn=test-net,ou=Netgroup,dc=example,dc=com "
modify complete

[root@qe-blade-03 sssd]# sss_cache -n test-net

[root@qe-blade-03 sssd]# getent netgroup test-net
test-net              ( ,user1,) ( ,user2,)

Comment 12 errata-xmlrpc 2016-05-10 20:26:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html


Note You need to log in before you can comment on or make changes to this bug.