Bug 1430415
| Summary: | ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ming Davies <minyu> | ||||
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.3 | CC: | apeddire, dmoessne, fidencio, grajaiya, jhrozek, lslebodn, minyu, mkosek, mzidek, pbrezina, sgoveas, sssd-maint, striker, tscherf | ||||
| Target Milestone: | rc | Keywords: | Regression, ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sssd-1.15.2-47.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1471808 (view as bug list) | Environment: | |||||
| Last Closed: | 2017-08-01 09:04:18 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1420851, 1452916, 1471808 | ||||||
| Attachments: |
|
||||||
|
Description
Ming Davies
2017-03-08 14:51:11 UTC
Created attachment 1270783 [details]
latest sssd debug
Hi, thank you for the logs. This is indeed an issue due to introduction of the timestamp cache to speed up performance. 1. Full enumeration fills cache with users and groups -- for next three hours enumeration will be usen entryUSN to fetch only new entries 2. Purge cache timeout kicks in -- Full enumeration is done, but it only updates timestamp cache -- We search users in data cache with expiriration time filter -- We end up deleting all users 3. Again only smart enumeration with entryUSN is used, which won't get any result 4. Purge cache timeout -- Full enumeration will populate the cache -- None users and groups are expired The same situation may be in sudo rules, anyone who will work on this ticket should investigate. Upstream ticket: https://pagure.io/SSSD/sssd/issue/3369 (In reply to Pavel Březina from comment #12) > The same situation may be in sudo rules, anyone who will work on this ticket > should investigate. sudo rules does not have timestamp cache. *** Bug 1394295 has been marked as a duplicate of this bug. *** Upstream ticket: https://pagure.io/SSSD/sssd/issue/3369 *** Bug 1452397 has been marked as a duplicate of this bug. *** master: * 05e579691b51ac2f81ab0c828ff6fe57bd86a8b6 * 41708e1e500e7cada3d3e606aa2b8b9869a5c734 * a71f1a655dcc2ca6dc16bb8eb1c4c9e24cfe2c3e * 9883d1e2913ff0c1db479f1ece8148e03155c7f3 * 8ad57e17779b3ec60246ac58c1691ee15745084c * 347be58e1769ba90b49a7e5ec1678ef66987f6cd * 01c6bb9b47401f9f14c4cfe5c5f03fce2e63629b verified with ~]# rpm -q sssd sssd-1.15.2-47.el7.x86_64 [root@shr7-permanent ~]# cat /etc/sssd/sssd.conf [sssd] domains = childb.sssd16.qe config_file_version = 2 services = nss, pam [domain/childb.sssd16.qe] ad_domain = childb.sssd16.qe krb5_realm = CHILDB.SSSD16.QE realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_enabled_domains = first.sssd16.qe, childb.sssd16.qe debug_level = 9 enumerate = true ldap_enumeration_refresh_timeout = 30 ldap_purge_cache_timeout = 60 entry_cache_timeout = 20 ~]# service sssd stop ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; date ; service sssd start Redirecting to /bin/systemctl stop sssd.service Mon Jun 19 10:15:38 EDT 2017 Redirecting to /bin/systemctl start sssd.service [root@shr7-permanent ~]# ldbsearch -H /var/lib/sss/db/cache_childb.sssd16.qe.ldb 2> /dev/null |tail -n5 d16.qe,cn=sysdb # returned 49 records # 49 entries # 0 referrals [root@shr7-permanent ~]# sleep 60 [root@shr7-permanent ~]# ldbsearch -H /var/lib/sss/db/cache_childb.sssd16.qe.ldb |egrep cbu3 asq: Unable to register control with rootdse! member: name=cbu3.qe,cn=users,cn=childb.sssd16.qe,cn=sysdb memberuid: cbu3.qe dn: name=cbu3.qe,cn=users,cn=childb.sssd16.qe,cn=sysdb fullName: cbu3 gecos: cbu3 name: cbu3.qe originalDN: CN=cbu3,CN=Users,DC=childb,DC=sssd16,DC=qe userPrincipalName: cbu3.QE nameAlias: cbu3.qe distinguishedName: name=cbu3.qe,cn=users,cn=childb.sssd16.qe,cn= [root@shr7-permanent ~]# egrep cleanup_user /var/log/sssd/sssd_childb.sssd16.qe.log (Mon Jun 19 10:15:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:15:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Mon Jun 19 10:17:08 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:17:08 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! [root@shr7-permanent ~]# sleep 60 [root@shr7-permanent ~]# egrep cleanup_user /var/log/sssd/sssd_childb.sssd16.qe.log (Mon Jun 19 10:15:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:15:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Mon Jun 19 10:17:08 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:17:08 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! [root@shr7-permanent ~]# ldbsearch -H /var/lib/sss/db/cache_childb.sssd16.qe.ldb |egrep cbu3 asq: Unable to register control with rootdse! member: name=cbu3.qe,cn=users,cn=childb.sssd16.qe,cn=sysdb memberuid: cbu3.qe memberuid: cbu3.qe dn: name=cbu3.qe,cn=users,cn=childb.sssd16.qe,cn=sysdb fullName: cbu3 gecos: cbu3 name: cbu3.qe originalDN: CN=cbu3,CN=Users,DC=childb,DC=sssd16,DC=qe userPrincipalName: cbu3.QE nameAlias: cbu3.qe distinguishedName: name=cbu3.qe,cn=users,cn=childb.sssd16.qe,cn= ~]# ldbsearch -H /var/lib/sss/db/cache_childb.sssd16.qe.ldb 2> /dev/null |tail -n5 d16.qe,cn=sysdb # returned 49 records # 49 entries # 0 referrals [root@shr7-permanent ~]# date Mon Jun 19 10:22:03 EDT 2017 [root@shr7-permanent ~]# egrep cleanup_user /var/log/sssd/sssd_childb.sssd16.qe.log (Mon Jun 19 10:15:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:15:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Mon Jun 19 10:17:08 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:17:08 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Mon Jun 19 10:18:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:18:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Mon Jun 19 10:20:08 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:20:08 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! (Mon Jun 19 10:21:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x4000): Cache expiration is set to 0 days (Mon Jun 19 10:21:38 2017) [sssd[be[childb.sssd16.qe]]] [cleanup_users] (0x0200): Found 0 expired user entries! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |