Description of problem: The NSS responder maintains a timeout to not check for new domains all the time. Unfortunately this timeout is reset with every request in sss_dp_get_domains_send() and as a result on a busy system to timeout never expires and the domain list is never refresh.
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3967
How to test: - use an AD or IPA setup with sub-domains, i.e. either other domains in the AD forest (AD) or a trust to an AD forest (IPA). - start the client in offline mode with an empty cache, e.g. by removing all entries nameserver from /etc/resolv.conf. - start a lookup for a sub-domain user ever 30s in a loop, it is expected that the lookup fails while offline - add the nameserver entries back to /etc/resolve.conf - with a fixed version the user lookup in the loop should succeed after about 2 minute (1 minute default offline timeout + 1 minute default domain refresh timeout) or shorter - with a broken version the user lookup in the loop should never succeed
* master: c013643 * sssd-1-16: 3824008
verified with sssd-1.16.4-21.el7.x86_64 Issue reproduced with following version: [root@vm-idm-016 ~]# rpm -q sssd sssd-1.16.2-13.el7.x86_64 script used for testing [root@vm-idm-016 ~]# cat new.sh #!/bin/bash cat /etc/resolv.conf > /etc/resolv.conf.bk echo "Printing backed up resolv.conf.bk" cat /etc/resolv.conf.bk echo > /etc/resolv.conf echo "Printing Modified resolv.conf" cat /etc/resolv.conf service sssd stop ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd echo " SSSD is starting in offline mode" for i in `seq 4`; do id administrator.com; echo 'delay 30 secs' ; sleep 30 ; done echo "Printing restored resolv.conf" cat /etc/resolv.conf.bk > /etc/resolv.conf cat /etc/resolv.conf for i in `seq 12`; do id administrator.com; echo 'delay 30 sec'; sleep 30 ; done [root@vm-idm-016 ~]# -016 ~]# bash new.sh Printing backed up resolv.conf.bk nameserver 22.65.207.47 #nameserver 22.65.201.89 #nameserver 22.68.5.26 Printing Modified resolv.conf Redirecting to /bin/systemctl stop sssd.service SSSD is starting in offline mode id: administrator.com: no such user delay 30 secs id: administrator.com: no such user delay 30 secs id: administrator.com: no such user delay 30 secs id: administrator.com: no such user delay 30 secs Printing restored resolv.conf nameserver 10.65.207.47 #nameserver 10.65.201.89 #nameserver 10.68.5.26 id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec [root@vm-idm-016 ~]# yum update sssd Loaded plugins: product-id, search-disabled-repos, subscription-manager . [........] . Verifying : libsss_autofs-1.16.2-13.el7.x86_64 29/30 Verifying : sssd-proxy-1.16.2-13.el7.x86_64 30/30 Updated: sssd.x86_64 0:1.16.4-21.el7 Dependency Updated: libipa_hbac.x86_64 0:1.16.4-21.el7 libsss_autofs.x86_64 0:1.16.4-21.el7 libsss_idmap.x86_64 0:1.16.4-21.el7 libsss_sudo.x86_64 0:1.16.4-21.el7 python-sssdconfig.noarch 0:1.16.4-21.el7 sssd-ad.x86_64 0:1.16.4-21.el7 sssd-client.x86_64 0:1.16.4-21.el7 sssd-common.x86_64 0:1.16.4-21.el7 sssd-common-pac.x86_64 0:1.16.4-21.el7 sssd-ipa.x86_64 0:1.16.4-21.el7 sssd-krb5.x86_64 0:1.16.4-21.el7 sssd-krb5-common.x86_64 0:1.16.4-21.el7 sssd-ldap.x86_64 0:1.16.4-21.el7 sssd-proxy.x86_64 0:1.16.4-21.el7 Complete! [root@vm-idm-016 ~]# rpm -q sssd sssd-1.16.4-21.el7.x86_64 [root@vm-idm-016 ~]# bash new.sh Printing backed up resolv.conf.bk nameserver 22.65.207.47 #nameserver 22.65.201.89 #nameserver 22.68.5.26 Printing Modified resolv.conf Redirecting to /bin/systemctl stop sssd.service SSSD is starting in offline mode id: administrator.com: no such user delay 30 secs id: administrator.com: no such user delay 30 secs id: administrator.com: no such user delay 30 secs id: administrator.com: no such user delay 30 secs Printing restored resolv.conf nameserver 22.65.207.47 #nameserver 22.65.201.89 #nameserver 22.68.5.26 id: administrator.com: no such user delay 30 sec id: administrator.com: no such user delay 30 sec uid=651800500(administrator.com) gid=651800500(administrator.com) groups=651800500(administrator.com),651800520(group policy creator owners.com),651800512(domain admins.com),651800513(domain users.com) delay 30 sec uid=651800500(administrator.com) gid=651800500(administrator.com) groups=651800500(administrator.com),651800520(group policy creator owners.com),651800512(domain admins.com),651800513(domain users.com) delay 30 sec ^C [root@vm-idm-016 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2177