Description of problem: SSSD has a cleanup task that removes unreferenced groups from the cache in order to keep the cache size down. However, we were only checking for direct group memberships, and not for whether there were users who had this group as their primary group ID. As a result, it is possible for SSSD to purge legitimate groups from the cache. This can cause issues with group-based access control permissions such as access.conf and sudoers. Version-Release number of selected component (if applicable): sssd-1.2.1-35.el5 How reproducible: Consistently Steps to Reproduce: 1. Create a new group on the LDAP server. Note its ID. 2. Create a new user on the LDAP server. Set its gidNumber attribute to match the ID of the group created earlier. 3. On the client, set ldap_purge_cache_timeout = 5 (this will reduce the time between cleanup tasks to five seconds, to illustrate the problem, normally it defaults to twelve hours). Restart the sssd and wait ten seconds (to ensure full startup is done) 4. On the client, run 'id username'. The user and group will be listed. 5. Sleep six seconds. 6. Run 'id username'. The user will be missing the group. Actual results: Groups that are only identified as a user's primary group are removed when the cache cleanup routine runs. Expected results: All groups referenced by cached users should be intact. Additional info: Upstream bug: https://fedorahosted.org/sssd/ticket/624 Patch is available.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0044.html