772297 – Fails to update if all nisNetgroupTriple or memberNisNetgroup entries are deleted from a netgroup.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 772297 - Fails to update if all nisNetgroupTriple or memberNisNetgroup entries are deleted from a netgroup.

Summary: Fails to update if all nisNetgroupTriple or memberNisNetgroup entries are del...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-06 17:48 UTC by Kaushik Banerjee
Modified:	2020-05-02 16:42 UTC (History)
CC List:	8 users (show)
Fixed In Version:	sssd-1.8.0-5.el6
Doc Type:	Bug Fix
Doc Text:	Cause: the function for storing netgroups in SSSD cache didn't check for attributes that are in sysdb but aren't in ldap response from the server. Consequence: if a netgroup has been cached by SSSD and it changed on the server in a way that it missed all triples, this change wouldn't be projected in the cache Fix: always check for attributes that are missing from the LDAP response when saving netgroup Result: query for netgroups returns correct set of triples even if it contains none
Clone Of:
Environment:
Last Closed:	2012-06-20 11:51:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2178	0	None	closed	Fails to update if all nisNetgroupTriple or memberNisNetgroup entries are deleted from a netgroup.	2020-07-10 13:16:39 UTC
Red Hat Product Errata	RHBA-2012:0747	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2012-06-19 19:31:43 UTC

Description Kaushik Banerjee 2012-01-06 17:48:16 UTC

Description of problem:
SSSD fails to update if all nisNetgroupTriple/memberNisNetgroup entries are deleted from the netgroup on the ldap server.

Version-Release number of selected component (if applicable):
sssd-1.5.1-66.el6_2.1

How reproducible:
Always

Steps to Reproduce:
1. Originally:
# ldapsearch -x -LLL -b "dc=example,dc=com" cn=Users
dn: cn=Users,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: Users
nisNetgroupTriple: (host1.example.com,user1,example.com)
nisNetgroupTriple: (host2.example.com,user2,example.com)
nisNetgroupTriple: (host3.example.com,user2,example.com)
description: All users in my organization

# getent -s sss netgroup Users
Users                 (host1.example.com, user1, example.com) (host2.example.com, user2, example.com) (host3.example.com, user2, example.com)

2. After deleting all nisNetgroupTriple from the netgroup on the ldap server:
# ldapsearch -x -LLL -b "dc=example,dc=com" cn=Users
dn: cn=Users,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: Users
description: All users in my organization

3. After 120 secs:
# getent -s sss netgroup Users
Users                 (host1.example.com, user1, example.com) (host2.example.com, user2, example.com) (host3.example.com, user2, example.com)


Actual results:
Looking up the netgroup still shows all the deleted entries.

Deleting one or more nisNetgroupTriple or memberNisNetgroup entries updates properly after entry_cache_timeout. The issue is reproducible only when all the entries all deleted.

Expected results:
Netgroup lookup shouldn't show the deleted entries.

Additional info:
1. sssd.conf domain section:
[domain/LDAP]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://lion.lab.eng.pnq.redhat.com
ldap_search_base = ou=Netgroup,dc=example,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/server.pem
enumerate = true
cache_credentials = true
entry_cache_timeout = 120
ldap_purge_cache_timeout = 10

2. domain log shows:
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [be_get_account_info] (4): Got request for [4100][1][name=Users]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (9): reusing cached connection
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(cn=Users)(objectclass=nisNetgroup))][ou=Netgroup,dc=example,dc=com].
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_step] (7): Requesting attrs: [objectClass]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_step] (7): Requesting attrs: [cn]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_step] (7): Requesting attrs: [memberNisNetgroup]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_step] (7): Requesting attrs: [nisNetgroupTriple]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_step] (7): Requesting attrs: [nsUniqueId]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 14
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0x864c20], connected[1], ops[0x868d00], ldap[0x869910]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_parse_entry] (9): OriginalDN: [cn=Users,ou=Netgroup,dc=example,dc=com].
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0x864c20], connected[1], ops[0x868d00], ldap[0x869910]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_done] (6): Search result: Success(0), (null)
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_generic_done] (7): Total count [0]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_get_netgroups_process] (6): Search for netgroups, returned 1 results.
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [netgr_translate_members_send] (7): Missing netgroup members.
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [netgr_translate_members_send] (9): No DNs found among netgroup members.
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_save_netgroup] (7): Adding original DN [cn=Users,ou=Netgroup,dc=example,dc=com] to attributes of [Users].
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_save_netgroup] (7): No netgroup triples for netgroup [Users].
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_save_netgroup] (7): No original members for netgroup [Users]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_save_netgroup] (7): No members for netgroup [Users]
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sdap_save_netgroup] (6): Storing info for netgroup Users
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): start ldb transaction (nesting: 0)
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): start ldb transaction (nesting: 1)
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x87f860

(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x87f980

(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): tevent: Destroying timer event 0x87f980 "ltdb_timeout"

(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): tevent: Ending timer event 0x87f860 "ltdb_callback"

(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): cancel ldb transaction (nesting: 1)
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [sysdb_add_basic_netgroup] (6): Error: 17 (File exists)
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): start ldb transaction (nesting: 1)
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x880040

(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x87f0d0

(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): tevent: Destroying timer event 0x87f0d0 "ltdb_timeout"

(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): tevent: Ending timer event 0x880040 "ltdb_callback"

(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): commit ldb transaction (nesting: 1)
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [ldb] (9): commit ldb transaction (nesting: 0)
(Fri Jan  6 20:22:12 2012) [sssd[be[LDAP]]] [netgr_translate_members_done] (9): Saving 1 Netgroups - Done

Comment 1 Stephen Gallagher 2012-01-06 17:57:01 UTC

Just to confirm: Does it work properly if some (but not all) of the nisNetgroupTriple or memberNisNetgroup entries are removed?

Rephrased: does it only occur when ALL entries are removed?

Comment 3 Kaushik Banerjee 2012-01-06 18:05:46 UTC

(In reply to comment #1)
> Just to confirm: Does it work properly if some (but not all) of the
> nisNetgroupTriple or memberNisNetgroup entries are removed?

Yes.

> 
> Rephrased: does it only occur when ALL entries are removed?

Yes

Comment 4 Kaushik Banerjee 2012-01-06 18:07:38 UTC

This bug was initially reported by "email" on sssd-devel list at "https://fedorahosted.org/pipermail/sssd-devel/2012-January/008002.html". I performed the tests as described in the thread and could successfully reproduce this. I have raised a bugzilla with all the necessary information. Would like to thank Joe.Jin for reporting this.

Comment 5 Jakub Hrozek 2012-01-08 19:19:50 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1136

Comment 6 Joe Jin 2012-01-16 08:50:04 UTC

I tried to call sysdb_remove_attrs() in either sysdb_add_netgroup() or sdap_save_netgroup(),
when the attr empty, but always return FAILED, any comments?

Thanks,
Joe

Comment 7 Stephen Gallagher 2012-01-16 12:24:12 UTC

(In reply to comment #6)
> I tried to call sysdb_remove_attrs() in either sysdb_add_netgroup() or
> sdap_save_netgroup(),
> when the attr empty, but always return FAILED, any comments?

What was the failure error code? Also, did you use SYSDB_MOD_REPLACE or SYSDB_MOD_DEL? The latter is probably what you were looking for.

Comment 10 Scott Poore 2012-03-21 15:58:06 UTC

Verified.

Version :: sssd-1.8.0-15.el6.x86_64

Automated Test Results ::

There was a bug in the automated test when run.  It was missing the code to add the entry_cache_timeout to sssd.conf.  That has been added and this is a manual run of the automation:

[root@hp-xw6600-01 ipa-netgroup-cli]# netgroup_bz_772297

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: netgroup_bz_772297: Fails to update if all nisNetgroupTriple or memberNisNetgroup entries are deleted from a netgroup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running '/bin/cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.netgroup_bz_772297.backup'
:: [11:22:23] ::  Running: sed -i 's/\(\[domain.*\]\)$/\1
entry_cache_timeout = 120/' /etc/sssd/sssd.conf
[domain/testrelm.com]
entry_cache_timeout = 120
entry_cache_timeout = 120
debug_level = 6

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hp-xw6600-01.testrelm.com
chpass_provider = ipa
ipa_server = hp-xw6600-01.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = testrelm.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf'
Stopping sssd: [  OK  ]
[  OK  ] sssd: [  OK  ]
:: [   PASS   ] :: Running 'service sssd restart'
--------------------
Added user "nguser1"
--------------------
  User login: nguser1
  First name: TEST
  Last name: USER
  Full name: TEST USER
  Display name: TEST USER
  Initials: TU
  Home directory: /home/nguser1
  GECOS field: TEST USER
  Login shell: /bin/sh
  Kerberos principal: nguser1
  UID: 588200022
  GID: 588200022
  Password: False
  Kerberos keys available: False
:: [   PASS   ] :: Running 'ipa user-add nguser1 --first=TEST --last=USER'
--------------------
Added user "nguser2"
--------------------
  User login: nguser2
  First name: TEST
  Last name: USER
  Full name: TEST USER
  Display name: TEST USER
  Initials: TU
  Home directory: /home/nguser2
  GECOS field: TEST USER
  Login shell: /bin/sh
  Kerberos principal: nguser2
  UID: 588200023
  GID: 588200023
  Password: False
  Kerberos keys available: False
:: [   PASS   ] :: Running 'ipa user-add nguser2 --first=TEST --last=USER'
--------------------
Added user "nguser3"
--------------------
  User login: nguser3
  First name: TEST
  Last name: USER
  Full name: TEST USER
  Display name: TEST USER
  Initials: TU
  Home directory: /home/nguser3
  GECOS field: TEST USER
  Login shell: /bin/sh
  Kerberos principal: nguser3
  UID: 588200024
  GID: 588200024
  Password: False
  Kerberos keys available: False
:: [   PASS   ] :: Running 'ipa user-add nguser3 --first=TEST --last=USER'
------------------------
Added netgroup "usersng"
------------------------
  Netgroup name: usersng
  Description: users
  NIS domain name: testrelm.com
  IPA unique ID: ae33307e-7369-11e1-9717-0019bbea4c2b
:: [   PASS   ] :: Running 'ipa netgroup-add usersng --desc=users'
  Netgroup name: usersng
  Description: users
  NIS domain name: testrelm.com
  Member User: nguser1, nguser2, nguser3
-------------------------
Number of members added 3
-------------------------
:: [   PASS   ] :: Running 'ipa netgroup-add-member usersng --users=nguser1,nguser2,nguser3'
------------------
1 netgroup matched
------------------
  Netgroup name: usersng
  Description: users
  NIS domain name: testrelm.com
  Member User: nguser1, nguser2, nguser3
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Running 'ipa netgroup-find --users=nguser1,nguser2,nguser3'
dn: cn=usersng,cn=ng,cn=compat,dc=testrelm,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (-,nguser1,testrelm.com)
nisNetgroupTriple: (-,nguser2,testrelm.com)
nisNetgroupTriple: (-,nguser3,testrelm.com)
cn: usersng

dn: ipaUniqueID=ae33307e-7369-11e1-9717-0019bbea4c2b,cn=ng,cn=alt,dc=testrelm,
 dc=com
objectClass: ipaobject
objectClass: ipaassociation
objectClass: ipanisnetgroup
cn: usersng
description: users
nisDomainName: testrelm.com
ipaUniqueID: ae33307e-7369-11e1-9717-0019bbea4c2b

:: [   PASS   ] :: Running 'ldapsearch -x -LLL -b dc=testrelm,dc=com cn=usersng'
usersng               (-, nguser1, testrelm.com) (-, nguser2, testrelm.com) (-, nguser3, testrelm.com)
:: [   PASS   ] :: Running 'getent -s sss netgroup usersng'
  Netgroup name: usersng
  Description: users
  NIS domain name: testrelm.com
---------------------------
Number of members removed 3
---------------------------
:: [   PASS   ] :: Running 'ipa netgroup-remove-member usersng --users=nguser1,nguser2,nguser3'
:: [   PASS   ] :: Running 'sleep 120'
:: [   PASS   ] :: BZ 772297 not found.
dn: cn=usersng,cn=ng,cn=compat,dc=testrelm,dc=com
objectClass: nisNetgroup
objectClass: top
cn: usersng

dn: ipaUniqueID=ae33307e-7369-11e1-9717-0019bbea4c2b,cn=ng,cn=alt,dc=testrelm,
 dc=com
objectClass: ipaobject
objectClass: ipaassociation
objectClass: ipanisnetgroup
cn: usersng
description: users
nisDomainName: testrelm.com
ipaUniqueID: ae33307e-7369-11e1-9717-0019bbea4c2b

:: [   PASS   ] :: Running 'ldapsearch -x -LLL -b "dc=testrelm,dc=com" cn=usersng'
----------------------
Deleted user "nguser1"
----------------------
:: [   PASS   ] :: Running 'ipa user-del nguser1'
----------------------
Deleted user "nguser2"
----------------------
:: [   PASS   ] :: Running 'ipa user-del nguser2'
----------------------
Deleted user "nguser3"
----------------------
:: [   PASS   ] :: Running 'ipa user-del nguser3'
--------------------------
Deleted netgroup "usersng"
--------------------------
:: [   PASS   ] :: Running 'ipa netgroup-del usersng'
:: [   PASS   ] :: Running '/bin/cp -f /etc/sssd/sssd.conf.netgroup_bz_772297.backup /etc/sssd/sssd.conf'
:: [   PASS   ] :: Running '/bin/rm /etc/sssd/sssd.conf.netgroup_bz_772297.backup'
:: [   PASS   ] :: Running 'chmod 0600 /etc/sssd/sssd.conf'
Stopping sssd: [  OK  ]
[  OK  ] sssd: [  OK  ]
:: [   PASS   ] :: Running 'service sssd restart'

Manual Test Results ::


# ipa user-add testuser1 --first=First --last=Last
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: First
  Last name: Last
  Full name: First Last
  Display name: First Last
  Initials: FL
  Home directory: /home/testuser1
  GECOS field: First Last
  Login shell: /bin/sh
  Kerberos principal: testuser1
  UID: 588200025
  GID: 588200025
  Password: False
  Kerberos keys available: False

# ipa user-add testuser2 --first=First --last=Last
----------------------
Added user "testuser2"
----------------------
  User login: testuser2
  First name: First
  Last name: Last
  Full name: First Last
  Display name: First Last
  Initials: FL
  Home directory: /home/testuser2
  GECOS field: First Last
  Login shell: /bin/sh
  Kerberos principal: testuser2
  UID: 588200026
  GID: 588200026
  Password: False
  Kerberos keys available: False

# ipa user-add testuser3 --first=First --last=Last
----------------------
Added user "testuser3"
----------------------
  User login: testuser3
  First name: First
  Last name: Last
  Full name: First Last
  Display name: First Last
  Initials: FL
  Home directory: /home/testuser3
  GECOS field: First Last
  Login shell: /bin/sh
  Kerberos principal: testuser3
  UID: 588200027
  GID: 588200027
  Password: False
  Kerberos keys available: False

# ipa netgroup-add testng --desc=usersnetgroup
-----------------------
Added netgroup "testng"
-----------------------
  Netgroup name: testng
  Description: usersnetgroup
  NIS domain name: testrelm.com
  IPA unique ID: 82983668-736d-11e1-bbe4-0019bbea4c2b

# ipa netgroup-add-member testng --users=testuser1,testuser2,testuser3
  Netgroup name: testng
  Description: usersnetgroup
  NIS domain name: testrelm.com
  Member User: testuser1, testuser2, testuser3
-------------------------
Number of members added 3
-------------------------

# ipa netgroup-find --users=testuser1,testuser2,testuser3
------------------
1 netgroup matched
------------------
  Netgroup name: testng
  Description: usersnetgroup
  NIS domain name: testrelm.com
  Member User: testuser1, testuser2, testuser3
----------------------------
Number of entries returned 1
----------------------------

# ldapsearch -x -LLL -b "dc=testrelm,dc=com" cn=testng
dn: cn=testng,cn=ng,cn=compat,dc=testrelm,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (-,testuser1,testrelm.com)
nisNetgroupTriple: (-,testuser2,testrelm.com)
nisNetgroupTriple: (-,testuser3,testrelm.com)
cn: testng

dn: ipaUniqueID=82983668-736d-11e1-bbe4-0019bbea4c2b,cn=ng,cn=alt,dc=testrelm,
 dc=com
objectClass: ipaobject
objectClass: ipaassociation
objectClass: ipanisnetgroup
cn: testng
description: usersnetgroup
nisDomainName: testrelm.com
ipaUniqueID: 82983668-736d-11e1-bbe4-0019bbea4c2b

# sed -i 's/\(\[domain.*\]\)$/\1\nentry_cache_timeout = 120/' /etc/sssd/sssd.conf

# cat /etc/sssd/sssd.conf
[domain/testrelm.com]
entry_cache_timeout = 120
entry_cache_timeout = 120
debug_level = 6

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hp-xw6600-01.testrelm.com
chpass_provider = ipa
ipa_server = hp-xw6600-01.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = testrelm.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

# vi /etc/sssd/sssd.conf

# cat /etc/sssd/sssd.conf
[domain/testrelm.com]
entry_cache_timeout = 120
debug_level = 6

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hp-xw6600-01.testrelm.com
chpass_provider = ipa
ipa_server = hp-xw6600-01.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = testrelm.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]


# service sssd restart
Stopping sssd: [  OK  ]
[  OK  ] sssd: [  OK  ]

# getent -s sss netgroup testng
testng                (-, testuser1, testrelm.com) (-, testuser2, testrelm.com) (-, testuser3, testrelm.com)

# ipa netgroup-remove-member testng --users=testuser1,testuser2,testuser3
  Netgroup name: testng
  Description: usersnetgroup
  NIS domain name: testrelm.com
---------------------------
Number of members removed 3
---------------------------

# sleep 120

# getent -s sss netgroup testng
testng

Comment 11 Jan Zeleny 2012-04-04 11:27:16 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: the function for storing netgroups in SSSD cache didn't check for attributes that are in sysdb but aren't in ldap response from the server.
Consequence: if a netgroup has been cached by SSSD and it changed on the server in a way that it missed all triples, this change wouldn't be projected in the cache
Fix: always check for attributes that are missing from the LDAP response when saving netgroup
Result: query for netgroups returns correct set of triples even if it contains none

Comment 13 errata-xmlrpc 2012-06-20 11:51:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html

Note You need to log in before you can comment on or make changes to this bug.