Bug 34124 - Не обновляется кэш групп
: Не обновляется кэш групп
Status: CLOSED WORKSFORME
: Sisyphus
(All bugs in Sisyphus/sssd-ad)
: unstable
: all Linux
: P3 normal
Assigned To:
:
:
:
:
:
  Show dependency tree
 
Reported: 2017-11-03 12:20 by
Modified: 2018-12-20 09:55 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-11-03 12:20:24
sss_cache -E не отрабатывает. Помогает только 

# systemctl stop sssd
# rm -f /var/lib/sss/db/*
# rm -f /var/lib/sss/mc/*
# systemctl start sssd

И то, только через определённый интервал.
------- Comment #1 From 2017-12-22 06:18:50 -------
Было выявлено две причины, по которой возникает данная проблема:
- утилиты и службы могут быть не согласованы при запуске службы из-под
непривилигированного пользователя, поскольку выполняемые от рута утитлиты
пересоздают файлы с неправильными ("рутовыми") правами доступа на файлы кеша;
- при наличии проблем с преобразованием отдельных SID'ов (например, когда
пользователю назначены группы из недоступного поддомена) NSS-модуль initgroups.

getent -s sss initgroups klepfers

(Fri Dec 22 08:17:30 2017) [sssd[nss]] [get_client_cred] (0x0080): The
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Протокол недоступен].
Please, consider enabling SELinux in your system.
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received
client version [1].
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered
version [1].
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [nss_getby_name] (0x0400): Input name:
klepfers
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #45:
Setting "Initgroups by name" plugin
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #45: New
request 'Initgroups by name'
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_process_input] (0x0400): CR
#45: Parsing input name [klepfers]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
name 'klepfers' matched without domain, user is klepfers
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_name] (0x0400): CR #45:
Setting name [klepfers]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR
#45: Performing a multi-domain search
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR
#45: Search will check the cache and check the data provider
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type]
(0x2000): Request type POSIX-only for domain ADM72.LOCAL type POSIX is valid
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #45:
Using domain [ADM72.LOCAL]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_prepare_domain_data]
(0x0400): CR #45: Preparing input data for domain [ADM72.LOCAL] rules
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR
#45: Looking up klepfers@adm72.local
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR
#45: Checking negative cache for [klepfers@adm72.local]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/ADM72.LOCAL/klepfers@adm72.local]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR
#45: [klepfers@adm72.local] is not present in negative cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR
#45: Looking up [klepfers@adm72.local] in cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR
#45: Object [klepfers@adm72.local] was not found in cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #45:
Looking up [klepfers@adm72.local] in data provider
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x416310:3:klepfers@adm72.local@ADM72.LOCAL]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for
[ADM72.LOCAL][0x3][BE_REQ_INITGROUPS][name=klepfers@adm72.local:-]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x658730
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x416310:3:klepfers@adm72.local@ADM72.LOCAL]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x658730
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply
from Data Provider - DP error code: 0 errno: 0 error message: Success
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR
#45: Looking up [klepfers@adm72.local] in cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR
#45: Object [klepfers@adm72.local] was not found in cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_search_ncache_add] (0x0400):
CR #45: Adding [klepfers@adm72.local] to negative cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/ADM72.LOCAL/klepfers@adm72.local] to negative cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type]
(0x2000): Request type POSIX-only for domain dfoato.ru type POSIX is valid
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type]
(0x2000): Request type POSIX-only for domain omsu.adm72.local type POSIX is
valid
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_validate_domain_type]
(0x2000): Request type POSIX-only for domain med72.local type POSIX is valid
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_global_ncache_add] (0x2000):
CR #45: This request type does not support global negative cache
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [cache_req_done] (0x0400): CR #45:
Finished: Not found
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain
dfoato.ru is Active
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain
omsu.adm72.local is Active
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain
med72.local is Active
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x416310:3:klepfers@adm72.local@ADM72.LOCAL]
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
(Fri Dec 22 08:17:30 2017) [sssd[nss]] [client_close_fn] (0x2000): Terminated
client [0x6616d0][21]
------- Comment #2 From 2017-12-26 14:28:58 -------
Сделал тестоввый вариант решения, которое доступна в тасках:
#197300 TESTED #1 [test-only] sisyphus sssd.git=1.15.3-alt5%ubt.3
#197299 EPERM #1 [test-only] p8 sssd.git=1.15.3-alt5%ubt.3

Преддварительное тестирование показало, что возникает проблема с правами
доступа на файл /var/lib/sss/db/sssd.ldb, которая приводит к непредусмотренному
сбою кеша. Новая сборка помогает только при исправлении прав на файл.

Обходной путь - отключить запуск модулей службы sssd из-под
непривилегированного пользователя, задав опцию user = root в sssd.conf.
------- Comment #3 From 2018-12-20 09:55:16 -------
у меня не получилось воспроизвести на текущем sisyphus.