1371538 – when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1371538 - when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent

Summary: when group is invalidated using sss_cache dataExpireTimestamp entry in the do...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Čech
QA Contact:	Niranjan Mallapadi Raghavender
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1373293 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-30 12:32 UTC by Niranjan Mallapadi Raghavender
Modified:	2020-05-02 18:28 UTC (History)
CC List:	8 users (show)
Fixed In Version:	sssd-1.15.2-2.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 08:58:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4197	0	None	None	None	2020-05-02 18:28:25 UTC
Red Hat Product Errata	RHEA-2017:2294	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2017-08-01 12:39:55 UTC

Description Niranjan Mallapadi Raghavender 2016-08-30 12:32:09 UTC

Description of problem:

When a group/users are invalidated from sss cache, the group/user information in Domain (cache_LDAP.ldb) and  timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. 

Version-Release number of selected component (if applicable):

sssd-client-1.14.0-30.el7.x86_64
sssd-dbus-1.14.0-30.el7.x86_64
python-sssdconfig-1.14.0-30.el7.noarch
sssd-ipa-1.14.0-30.el7.x86_64
sssd-tools-1.14.0-30.el7.x86_64
sssd-krb5-common-1.14.0-30.el7.x86_64
sssd-krb5-1.14.0-30.el7.x86_64
python-sss-1.14.0-30.el7.x86_64
libsss_autofs-1.14.0-30.el7.x86_64
libsss_nss_idmap-1.14.0-30.el7.x86_64
sssd-common-pac-1.14.0-30.el7.x86_64
sssd-ldap-1.14.0-30.el7.x86_64
sssd-proxy-1.14.0-30.el7.x86_64
sssd-debuginfo-1.14.0-30.el7.x86_64
libsss_idmap-1.14.0-30.el7.x86_64
sssd-ad-1.14.0-30.el7.x86_64
sssd-1.14.0-30.el7.x86_64
sssd-testlib-0.1-1.el7.noarch
sssd-common-1.14.0-30.el7.x86_64
libsss_simpleifp-1.14.0-30.el7.x86_64



Steps to Reproduce:
1. Configure an ldap server with users and groups , Example idm1 to idm8 and create groups idm_group1 to idm_group2 (having posix attributes)
2. Make idm1 user a member of idm_group1 member
3. Configure a RHEL7.3 client to authenticate to LDAP server 
[root@client1 db]# cat /etc/sssd/sssd.conf
[domain/LDAP]
cache_credentials = TRUE
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
chpass_provider = ldap
ldap_uri = ldaps://client2.example.test
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 0x0080

[sssd]
services = nss,pam
sbus_timeout = 30
config_file_version = 2
domains = LDAP
debug_level = 9

[nss]
filter_users = root,dbus,rpcuser,rpc,haldaemon,nobody,postfix,smmsp,nscd,ntp,apache
debug_level = 7



4. Restart cache. 

5. Query idm1 user and save it in cache
# getent passwd -s sss idm1
idm1:*:17583100:10001:IDM1 User:/home/idm1:/bin/bash
[root@client1 db]# getent passwd -s sss idm2
idm2:*:17583101:10002:IDM2 User:/home/idm2:/bin/bash
[root@client1 db]# getent group -s sss idm_group1
idm_group1:*:10001:idm1

6.  Enumerate Groups in domain cache using ldbtools

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
gidNumber: 10001
name: idm_group1@ldap
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
nameAlias: idm_group1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberuid: idm1@ldap
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

7.Enumerate users in domain cache using ldbtools

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
fullName: IDM1 User
gecos: IDM1 User
gidNumber: 10001
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1@ldap
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm1
nameAlias: idm1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
initgrExpireTimestamp: 1472564788
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559398
fullName: IDM2 User
gecos: IDM2 User
gidNumber: 10002
homeDirectory: /home/idm2
loginShell: /bin/bash
name: idm2@ldap
objectClass: user
uidNumber: 17583101
originalDN: uid=idm2,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm2
nameAlias: idm2@ldap
lastUpdate: 1472559398
dataExpireTimestamp: 1472564798
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb


8. Invalidate all users and group idm_group1

[root@client1 db]# sss_cache -U -g idm_group1

9. Check the Domain cache. 

ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
fullName: IDM1 User
gecos: IDM1 User
gidNumber: 10001
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1@ldap
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm1
nameAlias: idm1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberof: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
initgrExpireTimestamp: 1472564788
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
createTimestamp: 1472559398
fullName: IDM2 User
gecos: IDM2 User
gidNumber: 10002
homeDirectory: /home/idm2
loginShell: /bin/bash
name: idm2@ldap
objectClass: user
uidNumber: 17583101
originalDN: uid=idm2,ou=People,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
mail: idm2
nameAlias: idm2@ldap
lastUpdate: 1472559398
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb

10. Check the timestamps cache

[root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b cn=users,cn=LDAP,cn=sysdb
# record 1
dn: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
lastUpdate: 1472559388
objectClass: user
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb

# record 2
dn: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb
lastUpdate: 1472559398
objectClass: user
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm2@ldap,cn=users,cn=LDAP,cn=sysdb

# record 3
dn: cn=users,cn=LDAP,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=LDAP,cn=sysdb



11. Enumerate Domain cache  for groups

[root@client1 db]# ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
createTimestamp: 1472559388
gidNumber: 10001
name: idm_group1@ldap
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
member: name=idm1@ldap,cn=users,cn=LDAP,cn=sysdb
nameAlias: idm_group1@ldap
lastUpdate: 1472559388
dataExpireTimestamp: 1472564788
memberuid: idm1@ldap
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

# record 2
dn: cn=groups,cn=LDAP,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP,cn=sysdb

12. Enumerate timestamps_LDAP.ldb cache to verify if Group information is in validated.


[root@client1 db]# ldbsearch -H /var/lib/sss/db/timestamps_LDAP.ldb -b cn=groups,cn=LDAP,cn=sysdb
# record 1
dn: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb
lastUpdate: 1472559388
objectClass: group
originalModifyTimestamp: 20160830050239Z
entryUSN: 20160830050239Z
dataExpireTimestamp: 1
distinguishedName: name=idm_group1@ldap,cn=groups,cn=LDAP,cn=sysdb

# record 2
dn: cn=groups,cn=LDAP,cn=sysdb
cn: Groups
distinguishedName: cn=groups,cn=LDAP,cn=sysdb



Actual results:

The dataExpireTimestamp in timestamps_LDAP.ldb shows 1 when invalidated but dataExpireTimestamp in cache_LDAP.ldb shows dataExpireTimestamp: 1472564788


Expected results:


dataExpireTimestamp should be same in both the caches. 

Additional info:

Comment 2 Jakub Hrozek 2016-08-31 15:28:33 UTC

Judging by a quick test, I can reproduce

Comment 3 Jakub Hrozek 2016-08-31 15:29:36 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/3164

Comment 4 Jakub Hrozek 2016-09-06 07:04:32 UTC

*** Bug 1373293 has been marked as a duplicate of this bug. ***

Comment 5 Jakub Hrozek 2016-11-28 10:33:40 UTC

Petr will take a look out-of-band, but not critical enough to warrant an ack for now.

Comment 6 Jakub Hrozek 2017-03-23 08:05:13 UTC

master: 57a924e71230ea360b19a88e0d5818cf01017161

Comment 8 Niranjan Mallapadi Raghavender 2017-05-26 07:05:14 UTC

Versions:
sssd-common-pac-1.15.2-29.el7.x86_64
sssd-winbind-idmap-1.15.2-25.el7.x86_64
sssd-client-1.15.2-29.el7.x86_64
sssd-krb5-common-1.15.2-29.el7.x86_64
sssd-krb5-1.15.2-29.el7.x86_64
sssd-dbus-1.15.2-29.el7.x86_64
sssd-kcm-1.15.2-29.el7.x86_64
python-sssdconfig-1.15.2-29.el7.noarch
sssd-common-1.15.2-29.el7.x86_64
sssd-ad-1.15.2-29.el7.x86_64
sssd-proxy-1.15.2-29.el7.x86_64
sssd-1.15.2-29.el7.x86_64
sssd-ipa-1.15.2-29.el7.x86_64
sssd-tools-1.15.2-29.el7.x86_64
sssd-libwbclient-1.15.2-25.el7.x86_64
sssd-ldap-1.15.2-29.el7.x86_64

sssd.conf:
======

[sssd]
domains = EXAMPLE.TEST
config_file_version = 2
services = nss, pam

[domain/EXAMPLE.TEST]
id_provider = ldap
ldap_uri = ldaps://idm1.example.test
ldap_search_base = dc=example,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
auth_provider = ldap
debug_level = 9
cache_credentials = True
ldap_schema = rfc2307
chpass_provider = ldap

[nss]
filter_users = root,dbus,rpcuser,rpc,haldaemon,nobody,postfix,smmsp,nscd,ntp,apache
debug_level = 7


1. Add a user idm1 and idm_group1 on LDAP. 


2. Query the sss cache and verify both the user and group entries are cached.

[root@idm1 ~]# getent passwd -s sss idm1
idm1:*:17583100:19564100:idm1 User:/home/idm1:/bin/bash
[root@idm1 ~]# getent group -s sss idm_group1
idm_group1:*:19564100:idm1


3. Run ldbsearch tool and verify the cache entry

[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb"
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
createTimestamp: 1495781647
gidNumber: 19564100
name: idm_group1
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20170526065335Z
entryUSN: 20170526065335Z
member: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
nameAlias: idm_group1
lastUpdate: 1495781647
dataExpireTimestamp: 1495787047
memberuid: idm1
distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb


[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb"
asq: Unable to register control with rootdse!
# record 1
dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb

# record 2
dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
createTimestamp: 1495781641
fullName: idm1 User
gecos: idm1 User
gidNumber: 19564100
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20170526065050Z
entryUSN: 20170526065050Z
shadowLastChange: 17312
mail: idm1
nameAlias: idm1
isPosix: TRUE
lastUpdate: 1495781641
dataExpireTimestamp: 1495787041
memberof: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb



4. Invalidate the group idm_group1

[root@idm1 ~]# sss_cache -U -g idm_group1

5. Run ldbsearch against Domain cache and check if dataExpireTimestamp is 1. 

[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb"
asq: Unable to register control with rootdse!
# record 1
dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb

dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
createTimestamp: 1495781641
fullName: idm1 User
gecos: idm1 User
gidNumber: 19564100
homeDirectory: /home/idm1
loginShell: /bin/bash
name: idm1
objectClass: user
uidNumber: 17583100
originalDN: uid=idm1,ou=People,dc=example,dc=test
originalModifyTimestamp: 20170526065050Z
entryUSN: 20170526065050Z
shadowLastChange: 17312
mail: idm1
nameAlias: idm1
isPosix: TRUE
lastUpdate: 1495781641
memberof: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb


6. Verify against timestamp cache and check if the dataExpireTimestamp is 1 for users entry

[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/timestamps_EXAMPLE.TEST.ldb -b "cn=users,cn=EXAMPLE.TEST,cn=sysdb"
# record 1
dn: cn=users,cn=EXAMPLE.TEST,cn=sysdb
cn: Users
distinguishedName: cn=users,cn=EXAMPLE.TEST,cn=sysdb

# record 2
dn: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
lastUpdate: 1495781641
objectClass: user
originalModifyTimestamp: 20170526065050Z
entryUSN: 20170526065050Z
dataExpireTimestamp: 1
initgrExpireTimestamp: 1
distinguishedName: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb

7. Check the same for Group entry in Domain Cache and timestamp cache. 

[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/cache_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb"
asq: Unable to register control with rootdse!
# record 1
dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
createTimestamp: 1495781647
gidNumber: 19564100
name: idm_group1
objectClass: group
isPosix: TRUE
originalDN: cn=idm_group1,ou=Groups,dc=example,dc=test
originalModifyTimestamp: 20170526065335Z
entryUSN: 20170526065335Z
member: name=idm1,cn=users,cn=EXAMPLE.TEST,cn=sysdb
nameAlias: idm_group1
lastUpdate: 1495781647
memberuid: idm1
dataExpireTimestamp: 1
distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb



[root@idm1 ~]# ldbsearch -H /var/lib/sss/db/timestamps_EXAMPLE.TEST.ldb -b "cn=groups,cn=EXAMPLE.TEST,cn=sysdb"
# record 1
dn: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb
lastUpdate: 1495781647
objectClass: group
originalModifyTimestamp: 20170526065335Z
entryUSN: 20170526065335Z
dataExpireTimestamp: 1
distinguishedName: name=idm_group1,cn=groups,cn=EXAMPLE.TEST,cn=sysdb

From the above output dataExpireTimestamp entry in both Domain and timestamp cache is consistent.

Comment 9 errata-xmlrpc 2017-08-01 08:58:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294

Note You need to log in before you can comment on or make changes to this bug.