On Mon, Sep 24, 2018 at 06:52:50PM +0000, Beale (US), Gareth wrote:
The way the code is currently written is, if there is a duplicate:
- check if the "new" group has the same SID, uniqueID or original DN as the "old" one
- yes, same: this is a rename, allow
- no, different: this is a duplicate, error
I'm not clear on the start of this flow - what is meant by "if there is a duplicate"?
What I see on the affected system is e.g.:
getent group abcd..1 abcd..1 :*:1234:<userlist for abcd..1> getent group 1234 (returns same entry as for abcd..1)
Oddly, if I then:
getent group abcd..2 abcd..2 :*:1234:<userlist for abcd..2> getent group 1234 (returns same entry as for abcd..1 - not abcd..2)
This is most probably returned from the memory cache. If you call
SSS_NSS_USE_MEMCACHE=no getent group 1234
I would expect that you see the empty results always after 'getent group abcd..2' is called because the request will now go directly to the SSSD nss responder where the duplicate GID is detected.
bye, Sumit
However, at some point the cache gets into a state whereby:
getent group 1234 (returns empty result and also the duplicate GID error message in system log) a subsequent "getent group abcd..N" will also generally return the empty result. However if I script a getent of every suffixed group, each time followed by a getent of the GID, eventually it "kicks loose" and reverts to the initial state. It doesn't last very long however. General system activity seems to return it to the "stuck cache" before too long. Since we have multiple split groups, this can be happening simultaneously for multiple groups.
Gareth
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Monday, September 24, 2018 10:59 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Issues with SSSD cache on version 1.13.4
On Mon, Sep 24, 2018 at 10:22:35AM -0400, Simo Sorce wrote:
btw it’s a good question to ask why isn’t the check done on saving the group. I thought it was and I see code that checks for ID uniqueness and even a test..
In current code, saving would override data as if the group was renamed changed I think ?
The way the code is currently written is, if there is a duplicate: - check if the "new" group has the same SID, uniqueID or original DN as the "old" one - yes, same: this is a rename, allow - no, different: this is a duplicate, error _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...