Bug 1724088 - negative cache does not use values from 'filter_users' config option for known domains
Summary: negative cache does not use values from 'filter_users' config option for know...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: ipa-qe
Whiteboard: sync-to-jira
Depends On:
Blocks: 1726945 1758566
TreeView+ depends on / blocked
Reported: 2019-06-26 08:41 UTC by anuja
Modified: 2020-05-02 19:08 UTC (History)
11 users (show)

Fixed In Version: sssd-1.16.4-23.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1726945 1758566 (view as bug list)
Last Closed: 2020-03-31 19:44:37 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4950 0 None closed UPN negative cache does not use values from 'filter_users' config option 2021-01-23 12:38:01 UTC
Red Hat Product Errata RHBA-2020:1053 0 None None None 2020-03-31 19:45:20 UTC

Description anuja 2019-06-26 08:41:33 UTC
Description of problem:
The UPN negative cache does not use values from 'filter_users' config option and as a result a backend lookup for trigger also for those users.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
 - Setup trust
 - Change domain resolution order to prefer the AD domain
 - Added aduser in sssd.conf in filter_users
 - ipactl stop
 - rm -f sssd logs and cache
 - sssd start
 - ipactl start
 - sssctl domain-list should not show the AD domain
 - keep calling sssctl domain-list until you do see the AD domain
 - then run id user@ad.domain
 - check that there are no calls to [cache_req_search_dp] for user@ad.domain in sssd_nss.log

Actual results:
LDAP lookups for 'user@ad.domain'

Expected results:
No LDAP lookups root 'user@ad.domain'

Additional info:
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1685472#c10

Comment 2 Sumit Bose 2019-06-26 08:44:28 UTC
Needed patches are:

* master: e7e212b
* sssd-1-16:
  * 934341e
  * 05b37ac

Comment 3 Jakub Hrozek 2019-06-26 13:45:32 UTC
Upstream ticket:

Comment 8 James Hartsock 2019-08-08 19:22:09 UTC
Bugzilla not allowing solution link, so doing as comment:

Comment 14 anuja 2019-10-09 09:27:08 UTC
Performed Steps As per :

[root@ipaqavmb ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.8 Beta (Maipo)
[root@ipaqavmb ~]#  rpm -qa sssd
[root@ipaqavmb ~]# ipa config-show | grep resolution
  Domain resolution order: ipaad2k16cin.test:gss78.test
[root@ipaqavmb ~]# grep -B 3 "filter_users" /etc/sssd/sssd.conf
memcache_timeout = 600
homedir_substring = /home
filter_users = aduser1@ipaad2k16cin.test
[root@ipaqavmb ~]# ipactl stop 
Stopping ipa-dnskeysyncd Service
Stopping ipa-otpd Service
Stopping winbind Service
Stopping smb Service
Stopping pki-tomcatd Service
Stopping ntpd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful
[root@ipaqavmb ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@ipaqavmb ~]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting smb Service
Starting winbind Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@ipaqavmb ~]# sssctl domain-list | grep ipaad2k16cin.test
[root@ipaqavmb ~]# id aduser1@ipaad2k16cin.test ; date
id: aduser1@ipaad2k16cin.test: no such user
Wed Oct  9 05:20:39 EDT 2019
[root@ipaqavmb ~]# grep -F "Looking up [aduser1@ipaad2k16cin.test] in data provider" /var/log/sssd/sssd_nss.log
[root@ipaqavmb ~]# echo $?

In latest version there is no call log for known doamins like "Looking up [aduser@ad.domain] in data provider" messages in sssd_nss.log
Based on This moving bz to verified.

Comment 17 errata-xmlrpc 2020-03-31 19:44:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.