Description of problem: Validate ID ranges for local domain users. Version: [root@dhcp201-210 ~]# rpm -q sssd sssd-1.6.1-1.fc16.x86_64 [root@dhcp201-210 ~]# This came up, when I was trying the below operation and discussed w/ Jakub on IRC. =========================== [root@dhcp201-210 home]# sss_useradd foo4 =========================== [root@dhcp201-210 home]# grep min_id /etc/sssd/sssd.conf -A 2 #min_id = 500 #max_id = 999 min_id = 1000 max_id = 1999 debug_level = 9 [root@dhcp201-210 home]# =========================== [root@dhcp201-210 home]# vim /etc/sssd/sssd.conf =========================== [root@dhcp201-210 home]# grep min_id /etc/sssd/sssd.conf -A 2 min_id = 500 max_id = 999 #min_id = 1000 #max_id = 1999 debug_level = 9 [root@dhcp201-210 home]# =========================== [root@dhcp201-210 home]# service sssd restart Redirecting to /bin/systemctl restart sssd.service =========================== [root@dhcp201-210 home]# getent -s sss passwd foo4 foo4:*:1001:1001:foo4:/home/foo4:/bin/bash =========================== [root@dhcp201-210 home]# sss_userdel -r foo4 User foo4 is outside the defined ID range for domain =========================== Additional info: ========================== <jhrozek> kashyap: I'm wondering why the NSS provider returns the data, though..that might be a bug . . <jhrozek> kashyap: it seems that we never check ID ranges when the entry is already cached, but only when the entry is saved <jhrozek> kashyap: for a normal provider, the entry would disappear when it expires (either on its own or when sss_cache is used) <kashyap> I see, <jhrozek> kashyap: I don't think there's a way to force the expiration for a local provider <jhrozek> kashyap: feel free to file a RFE <kashyap> jhrozek, can you elaborate a little on "..but only when the entry is saved" <jhrozek> kashyap: consider an LDAP provider. We fetch the user from LDAP and save it to the cache. While saving the user to cache, we do a UID range check and skip the user when the UID is out of range <jhrozek> kashyap: if the entry is already cached, we don't perform any UID check <jhrozek> kashyap: the local provider works internally like a cache that never expires <kashyap> ah, <kashyap> jhrozek, do you think it'll be useful to file RFE to performa an ID check for the local provider? <jhrozek> kashyap: I'd file it. The worst thing that can happen is CLOSED/WONTFIX :-) ==========================
Upstream ticket: https://fedorahosted.org/sssd/ticket/1049
We're not going to change this behavior. As far as we're concerned, if the min/max_id has changed, it's a completely new domain and the only safe way to proceed is to delete the cache file.