Bug 34124

Summary: Не обновляется кэш групп
Product: Sisyphus Reporter: Andrey Cherepanov <cas>
Component: sssd-adAssignee: Evgeny Sinelnikov <sin>
Status: CLOSED WORKSFORME QA Contact: qa-sisyphus
Severity: normal    
Priority: P3 CC: asheplyakov, berkut_174, iv, lav, nparshin, rider, shaba, sin, slev
Version: unstable   
Hardware: all   
OS: Linux   

Description Andrey Cherepanov 2017-11-03 12:20:24 MSK
sss_cache -E не отрабатывает. Помогает только 

# systemctl stop sssd
# rm -f /var/lib/sss/db/*
# rm -f /var/lib/sss/mc/*
# systemctl start sssd

И то, только через определённый интервал.
Comment 1 Evgeny Sinelnikov 2017-12-22 06:18:50 MSK
Было выявлено две причины, по которой возникает данная проблема:
- утилиты и службы могут быть не согласованы при запуске службы из-под непривилигированного пользователя, поскольку выполняемые от рута утитлиты пересоздают файлы с неправильными ("рутовыми") правами доступа на файлы кеша;
- при наличии проблем с преобразованием отдельных SID'ов (например, когда пользователю назначены группы из недоступного поддомена) NSS-модуль initgroups.

getent -s sss initgroups klepfers

(Fri Dec 22 08:17:30 2017) [sssd[nss]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Протокол недоступен].
Please, consider enabling SELinux in your system.
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [nss_getby_name] (0x0400): Input name: klepfers
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #45: Setting "Initgroups by name" plugin
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #45: New request 'Initgroups by name'
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_process_input] (0x0400): CR #45: Parsing input name [klepfers]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'klepfers' matched without domain, user is klepfers
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_name] (0x0400): CR #45: Setting name [klepfers]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #45: Performing a multi-domain search
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #45: Search will check the cache and check the data provider
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain ADM72.LOCAL type POSIX is valid
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #45: Using domain [ADM72.LOCAL]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #45: Preparing input data for domain [ADM72.LOCAL] rules
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #45: Looking up klepfers@adm72.local
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #45: Checking negative cache for [klepfers@adm72.local]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ADM72.LOCAL/klepfers@adm72.local]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #45: [klepfers@adm72.local] is not present in negative cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #45: Looking up [klepfers@adm72.local] in cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #45: Object [klepfers@adm72.local] was not found in cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #45: Looking up [klepfers@adm72.local] in data provider
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x416310:3:klepfers@adm72.local@ADM72.LOCAL]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ADM72.LOCAL][0x3][BE_REQ_INITGROUPS][name=klepfers@adm72.local:-]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x658730
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x416310:3:klepfers@adm72.local@ADM72.LOCAL]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x658730
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #45: Looking up [klepfers@adm72.local] in cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #45: Object [klepfers@adm72.local] was not found in cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache_add] (0x0400): CR #45: Adding [klepfers@adm72.local] to negative cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ADM72.LOCAL/klepfers@adm72.local] to negative cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain dfoato.ru type POSIX is valid
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain omsu.adm72.local type POSIX is valid
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain med72.local type POSIX is valid
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_global_ncache_add] (0x2000): CR #45: This request type does not support global negative cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_done] (0x0400): CR #45: Finished: Not found
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain dfoato.ru is Active
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain omsu.adm72.local is Active
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain med72.local is Active
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x416310:3:klepfers@adm72.local@ADM72.LOCAL]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x6616d0][21]
Comment 2 Evgeny Sinelnikov 2017-12-26 14:28:58 MSK
Сделал тестоввый вариант решения, которое доступна в тасках:
#197300 TESTED #1 [test-only] sisyphus sssd.git=1.15.3-alt5%ubt.3
#197299 EPERM #1 [test-only] p8 sssd.git=1.15.3-alt5%ubt.3

Преддварительное тестирование показало, что возникает проблема с правами доступа на файл /var/lib/sss/db/sssd.ldb, которая приводит к непредусмотренному сбою кеша. Новая сборка помогает только при исправлении прав на файл.

Обходной путь - отключить запуск модулей службы sssd из-под непривилегированного пользователя, задав опцию user = root в sssd.conf.
Comment 3 Anton Farygin 2018-12-20 09:55:16 MSK
у меня не получилось воспроизвести на текущем sisyphus.
Comment 4 Andrey Cherepanov 2021-05-19 16:01:51 MSK
*** Bug 40012 has been marked as a duplicate of this bug. ***