At login time we force a remote initgroups call to make sure the user's group memberships are fully up to date. However we were not updating the mmap cache data so some groups may persist there with invalid data if they changed and were not yet expired in the cache.
This patch set implements a callbacj mechanism so that when a provider receives a initgr call request it records the list of groups (by gid) available before the online refresh then before returning it sends the data to the NSS provider so it can verify if anything changed.
If something changed the NSS provider will invalidate all groups in the mmap cache and will let the normal getpw/getgr calls re-populate the cache later.
Note that any other changes in the cache happen only if the mmap cache is already expired, so there is no need to invalidate the mmap cache in any other situation at the moment.
Addresses: https://fedorahosted.org/sssd/ticket/1671
Simo Sorce (5): mmap cache: public functions to invalidate records Hook to perform a mmap cache update from sssd_nss Hook for mmap cache update on initgroup calls Add backchannel NSS provider query on initgr calls Always append rctx as private data
src/providers/data_provider.h | 7 + src/providers/data_provider_be.c | 163 +++++++++++++++++++++++++++ src/responder/common/responder_common.c | 2 +- src/responder/nss/nsssrv.c | 68 +++++++++++ src/responder/nss/nsssrv_cmd.c | 187 +++++++++++++++++++++++++++++++ src/responder/nss/nsssrv_mmap_cache.c | 125 +++++++++++++++++++++ src/responder/nss/nsssrv_mmap_cache.h | 10 ++ src/responder/nss/nsssrv_private.h | 6 + 8 files changed, 567 insertions(+), 1 deletions(-)