Bug 1361597 - Groups with just one member are not properly managed by sssd
Summary: Groups with just one member are not properly managed by sssd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Čech
QA Contact: shridhar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-29 13:17 UTC by Thorsten Scherf
Modified: 2020-05-02 18:18 UTC (History)
10 users (show)

Fixed In Version: sssd-1.15.0-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 08:58:07 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3981 0 None closed The member link is not removed when the last group's nested member goes away 2020-05-02 18:18:05 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Thorsten Scherf 2016-07-29 13:17:51 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Thorsten Scherf 2016-07-29 13:27:47 UTC
Sorry for the missing description, hit enter to fast.

Here we go with the details.

When there is only a single member in a group and this member is being removed, sssd only removes it from the cache after "id <username>" has been executed. With one than one member in a group, the issue seems to go away.

This has been tested with the following releases:
sssd-1.13.90-0.20160506.1712.git04e4bdf.fc23.x86_64
sssd-1.13.3-22.el6.x86_64


    ########################
    enumerate = false
    entry_cache_timeout = 30
    ########################
     
    # sss_cache -u enumtest
    # sss_cache -g enumgr2
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 14:42:09 CEST 2016
    enumgr2@win.trust.test:*:300403124:
     
    ###
    ### Adding a user
    ###
     
    # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 14:42:36 CEST 2016
    enumgr2@win.trust.test:*:300403124:
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 14:42:59 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest@win.trust.test
     
    ###
    ### Removing a user
    ###
     
    # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 14:43:21 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest@win.trust.test
     
    # ldbsearch -H /var/lib/sss/db/cache_win.trust.test.ldb gidNumber=300403124
    dataExpireTimestamp: 1469796251
     
    # date -d @1469796251
    Fri Jul 29 14:44:11 CEST 2016
    
    ### The user is still listed as a member of the group
 
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 14:44:28 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest@win.trust.test
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 14:46:28 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest@win.trust.test
     
    ### After running "id <user>", the group membership is updated 

    # id enumtest@win.trust.test
    uid=300403121(enumtest@win.trust.test) gid=300400513(domain users@win.trust.test) groups=300400513(domain users@win.trust.test),300403120(supergroup@win.trust.test)
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 14:46:49 CEST 2016
    enumgr2@win.trust.test:*:300403124:
     
    ###
    ### The issue can't be reproduced when more than one user is a member of the group
    ###
     
    # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 15:10:40 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest2@win.trust.test,enumtest@win.trust.test
     
    ### With two members in the group, the group membership is updated within the cache expiration time

    # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest

    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 15:11:00 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest2@win.trust.test,enumtest@win.trust.test
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 15:11:12 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest2@win.trust.test

    ### With just one group member left, the issue pops up again
     
    # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest2
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 15:12:02 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest2@win.trust.test
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 15:12:36 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest2@win.trust.test
     
    # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest
    
    ### Adding a new group member makes sssd to update the group membership 

    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2@win.trust.test
    Fri Jul 29 15:12:59 CEST 2016
    enumgr2@win.trust.test:*:300403124:enumtest@win.trust.test

Comment 2 Thorsten Scherf 2016-07-29 13:29:13 UTC
This might be related to this upstream bug:

https://fedorahosted.org/sssd/ticket/2940

Comment 9 Jakub Hrozek 2016-12-02 10:48:28 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2940

Comment 12 shridhar 2017-05-26 06:55:17 UTC
verified with
-r7-permanent ~]# rpm -q sssd
sssd-1.15.2-33.el7.x86_64


[root@shr-r7-permanent ~]# adcli create-group gr2 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0'
[root@shr-r7-permanent ~]# adcli create-user  adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0'

[root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2@sssd16.qe
Fri May 26 02:32:47 EDT 2017
gr2@sssd16.qe:*:616401130:

[root@shr-r7-permanent ~]# adcli add-member gr2 adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0'
[root@shr-r7-permanent ~]# sleep 30
[root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2@sssd16.qe
Fri May 26 02:33:44 EDT 2017
gr2@sssd16.qe:*:616401130:adu1@sssd16.qe

[root@shr-r7-permanent ~]# adcli remove-member gr2 adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0'
[root@shr-r7-permanent ~]# sleep 30

[root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2@sssd16.qe
Fri May 26 02:35:33 EDT 2017
gr2@sssd16.qe:*:616401130:

Comment 13 errata-xmlrpc 2017-08-01 08:58:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294


Note You need to log in before you can comment on or make changes to this bug.