Summary: | Не обновляется кэш групп | ||
---|---|---|---|
Product: | Sisyphus | Reporter: | Andrey Cherepanov <cas> |
Component: | sssd-ad | Assignee: | Evgeny Sinelnikov <sin> |
Status: | CLOSED WORKSFORME | QA Contact: | qa-sisyphus |
Severity: | normal | ||
Priority: | P3 | CC: | asheplyakov, berkut_174, iv, lav, nparshin, rider, shaba, sin, slev |
Version: | unstable | ||
Hardware: | all | ||
OS: | Linux |
Description
Andrey Cherepanov
2017-11-03 12:20:24 MSK
Было выявлено две причины, по которой возникает данная проблема: - утилиты и службы могут быть не согласованы при запуске службы из-под непривилигированного пользователя, поскольку выполняемые от рута утитлиты пересоздают файлы с неправильными ("рутовыми") правами доступа на файлы кеша; - при наличии проблем с преобразованием отдельных SID'ов (например, когда пользователю назначены группы из недоступного поддомена) NSS-модуль initgroups. getent -s sss initgroups klepfers (Fri Dec 22 08:17:30 2017) [sssd[nss]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [92][Протокол недоступен]. Please, consider enabling SELinux in your system. (Fri Dec 22 08:17:30 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Dec 22 08:17:30 2017) [sssd[nss]] [nss_getby_name] (0x0400): Input name: klepfers (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #45: Setting "Initgroups by name" plugin (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #45: New request 'Initgroups by name' (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_process_input] (0x0400): CR #45: Parsing input name [klepfers] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'klepfers' matched without domain, user is klepfers (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_name] (0x0400): CR #45: Setting name [klepfers] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #45: Performing a multi-domain search (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #45: Search will check the cache and check the data provider (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain ADM72.LOCAL type POSIX is valid (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #45: Using domain [ADM72.LOCAL] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #45: Preparing input data for domain [ADM72.LOCAL] rules (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #45: Looking up klepfers@adm72.local (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #45: Checking negative cache for [klepfers@adm72.local] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ADM72.LOCAL/klepfers@adm72.local] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #45: [klepfers@adm72.local] is not present in negative cache (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #45: Looking up [klepfers@adm72.local] in cache (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #45: Object [klepfers@adm72.local] was not found in cache (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #45: Looking up [klepfers@adm72.local] in data provider (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x416310:3:klepfers@adm72.local@ADM72.LOCAL] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ADM72.LOCAL][0x3][BE_REQ_INITGROUPS][name=klepfers@adm72.local:-] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x658730 (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x416310:3:klepfers@adm72.local@ADM72.LOCAL] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x658730 (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #45: Looking up [klepfers@adm72.local] in cache (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #45: Object [klepfers@adm72.local] was not found in cache (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache_add] (0x0400): CR #45: Adding [klepfers@adm72.local] to negative cache (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/ADM72.LOCAL/klepfers@adm72.local] to negative cache (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain dfoato.ru type POSIX is valid (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain omsu.adm72.local type POSIX is valid (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain med72.local type POSIX is valid (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_global_ncache_add] (0x2000): CR #45: This request type does not support global negative cache (Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_done] (0x0400): CR #45: Finished: Not found (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain dfoato.ru is Active (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain omsu.adm72.local is Active (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain med72.local is Active (Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x416310:3:klepfers@adm72.local@ADM72.LOCAL] (Fri Dec 22 08:17:30 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Dec 22 08:17:30 2017) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x6616d0][21] Сделал тестоввый вариант решения, которое доступна в тасках: #197300 TESTED #1 [test-only] sisyphus sssd.git=1.15.3-alt5%ubt.3 #197299 EPERM #1 [test-only] p8 sssd.git=1.15.3-alt5%ubt.3 Преддварительное тестирование показало, что возникает проблема с правами доступа на файл /var/lib/sss/db/sssd.ldb, которая приводит к непредусмотренному сбою кеша. Новая сборка помогает только при исправлении прав на файл. Обходной путь - отключить запуск модулей службы sssd из-под непривилегированного пользователя, задав опцию user = root в sssd.conf. у меня не получилось воспроизвести на текущем sisyphus. |