+++ This bug was initially created as a clone of Bug #677768 +++ Description of problem: If you looked up some info using unix commands, like id or groups and then changed it using freeipa command - later calls to id will show outdated information: [root@ipaserver ~]# ipa user-add --first=x --last=y myuser5 -------------------- Added user "myuser5" -------------------- User login: myuser5 First name: x Last name: y Full name: x y Display name: x y Initials: xy Home directory: /home/myuser5 GECOS field: myuser5 Login shell: /bin/sh Kerberos principal: myuser5 UID: 334400018 [root@ipaserver ~]# id myuser5 uid=334400018(myuser5) gid=334400018(myuser5) группы=334400018(myuser5),334400001(ipausers) [root@ipaserver ~]# ipa user-del myuser5 ---------------------- Deleted user "myuser5" ---------------------- [root@ipaserver ~]# id myuser5 uid=334400018(myuser5) gid=334400018(myuser5) группы=334400018(myuser5),334400001(ipausers) Version-Release number of selected component (if applicable): 389-ds-base-1.2.8-0.2.a2.fc15.1.x86_64 freeipa-admintools-2.0.0.rc1-0.fc15.x86_64 sssd-tools-1.5.1-7.fc15.x86_64 freeipa-client-2.0.0.rc1-0.fc15.x86_64 freeipa-server-2.0.0.rc1-0.fc15.x86_64 sssd-1.5.1-7.fc15.x86_64 sssd-debuginfo-1.5.1-7.fc15.x86_64 freeipa-python-2.0.0.rc1-0.fc15.x86_64 freeipa-server-selinux-2.0.0.rc1-0.fc15.x86_64 sssd-client-1.5.1-7.fc15.x86_64 How reproducible: always Steps to Reproduce: 1. create user using ipa user-add command, myuser for example 2. type 'id myuser' 3. type ipa user-del 'myuser' 4. type 'id myuser' again - it will show deleted user Actual results: unix command show some cached info Expected results: unix commands always shows up-to-date information about users and groups --- Additional comment from ssorce on 2011-02-16 08:34:59 EST --- I was going to reply that as soon as the deleted user attempts to login, it will be refreshed from ldap, found to be deleted and not reported any more. Except I have just tested this and it doesn't work. Reassigning to sssd.
Environment: IPA Server RHEL 6.1 IPA Client RHEL 5.7 1) add ipa user from server # ipa user-add --first myuser --last myuser myuser ------------------- Added user "myuser" ------------------- User login: myuser First name: myuser Last name: myuser Full name: myuser myuser Display name: myuser myuser Initials: mm Home directory: /home/myuser GECOS field: myuser Login shell: /bin/sh Kerberos principal: myuser@TESTRELM UID: 239400003 2) from client id user # id myuser uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh 3) From server delete user # ipa user-del myuser --------------------- Deleted user "myuser" --------------------- 4) from client id user # id myuser uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh wait a couple minutes ... # id myuser uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh wait 5 more minutes # id myuser uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh Versions: CLIENT ipa-client-2.0-14.el5 sssd-1.5.1-35.el5 SERVER ipa-server-2.0.0-23.el6.x86_64
Default entry cache time out is 90 minutes, in order for the cache for that user to be update (user removed) need to attempt login as the deleted user ... subsequent steps ,... ssh myuser@hostname myuser@hostname's password: Permission denied, please try again. log back in and id my user # id myuser id: myuser: No such user
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0975.html