Bug 678412 - name service caches names, so id command shows recently deleted users
name service caches names, so id command shows recently deleted users
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sssd (Show other bugs)
5.7
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On: 677768
Blocks: 678410
  Show dependency treegraph
 
Reported: 2011-02-17 15:51 EST by Stephen Gallagher
Modified: 2015-01-04 18:46 EST (History)
11 users (show)

See Also:
Fixed In Version: sssd-1.5.1-9.el5
Doc Type: Bug Fix
Doc Text:
Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.
Story Points: ---
Clone Of: 677768
Environment:
Last Closed: 2011-07-21 04:09:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2011-02-17 15:51:30 EST
+++ This bug was initially created as a clone of Bug #677768 +++

Description of problem:
If you looked up some info using unix commands, like id or groups and then changed it using freeipa command - later calls to id will show outdated information:

[root@ipaserver ~]# ipa user-add --first=x --last=y myuser5
--------------------
Added user "myuser5"
--------------------
  User login: myuser5
  First name: x
  Last name: y
  Full name: x y
  Display name: x y
  Initials: xy
  Home directory: /home/myuser5
  GECOS field: myuser5
  Login shell: /bin/sh
  Kerberos principal: myuser5@MYFREEIPAHOST.COM
  UID: 334400018
[root@ipaserver ~]# id myuser5
uid=334400018(myuser5) gid=334400018(myuser5) группы=334400018(myuser5),334400001(ipausers)
[root@ipaserver ~]# ipa user-del myuser5
----------------------
Deleted user "myuser5"
----------------------
[root@ipaserver ~]# id myuser5
uid=334400018(myuser5) gid=334400018(myuser5) группы=334400018(myuser5),334400001(ipausers)





Version-Release number of selected component (if applicable):
389-ds-base-1.2.8-0.2.a2.fc15.1.x86_64
freeipa-admintools-2.0.0.rc1-0.fc15.x86_64
sssd-tools-1.5.1-7.fc15.x86_64
freeipa-client-2.0.0.rc1-0.fc15.x86_64
freeipa-server-2.0.0.rc1-0.fc15.x86_64
sssd-1.5.1-7.fc15.x86_64
sssd-debuginfo-1.5.1-7.fc15.x86_64
freeipa-python-2.0.0.rc1-0.fc15.x86_64
freeipa-server-selinux-2.0.0.rc1-0.fc15.x86_64
sssd-client-1.5.1-7.fc15.x86_64


How reproducible:
always

Steps to Reproduce:
1. create user using ipa user-add command, myuser for example
2. type 'id myuser'
3. type ipa user-del 'myuser'
4. type 'id myuser' again - it will show deleted user
  
Actual results:
unix command show some cached info

Expected results:
unix commands always shows up-to-date information about users and groups

--- Additional comment from ssorce@redhat.com on 2011-02-16 08:34:59 EST ---

I was going to reply that as soon as the deleted user attempts to login, it will be refreshed from ldap, found to be deleted and not reported any more.
Except I have just tested this and it doesn't work.

Reassigning to sssd.
Comment 2 Jenny Galipeau 2011-05-27 13:23:15 EDT
Environment:

IPA Server RHEL 6.1
IPA Client RHEL 5.7

1) add ipa user from server

# ipa user-add --first myuser --last myuser myuser
-------------------
Added user "myuser"
-------------------
  User login: myuser
  First name: myuser
  Last name: myuser
  Full name: myuser myuser
  Display name: myuser myuser
  Initials: mm
  Home directory: /home/myuser
  GECOS field: myuser
  Login shell: /bin/sh
  Kerberos principal: myuser@TESTRELM
  UID: 239400003

2) from client id user

# id myuser
uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh

3) From server delete user

# ipa user-del myuser
---------------------
Deleted user "myuser"
---------------------

4) from client id user

# id myuser
uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh


wait a couple minutes ...

# id myuser
uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh

wait 5 more minutes
# id myuser
uid=239400003(myuser) gid=239400003(myuser) groups=239400003(myuser),239400001(ipausers) context=root:system_r:unconfined_t:SystemLow-SystemHigh



Versions:

CLIENT
ipa-client-2.0-14.el5
sssd-1.5.1-35.el5

SERVER
ipa-server-2.0.0-23.el6.x86_64
Comment 3 Jenny Galipeau 2011-05-27 13:41:27 EDT
Default entry cache time out is 90 minutes, in order for the cache for that user to be update (user removed) need to attempt login as the deleted user ...

subsequent steps ,...

ssh myuser@hostname
myuser@hostname's password: 
Permission denied, please try again.


log back in and id my user

# id myuser
id: myuser: No such user
Comment 4 Miroslav Svoboda 2011-07-15 09:26:35 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.
Comment 5 errata-xmlrpc 2011-07-21 04:09:13 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0975.html

Note You need to log in before you can comment on or make changes to this bug.