Stephen, thanks. I had planned to spend my week-ends for hardly debuggin sssd behaviour. You save my time :-). I will rebuild sssd (I'm using custom build for SLES10) and check it.
2010/11/16 Stephen Gallagher sgallagh@redhat.com:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/16/2010 12:03 PM, Stephen Gallagher wrote:
On 11/12/2010 11:01 AM, Sergei V. Kovylov wrote:
Stephen, you are right 1.3.1 is working version too. I have made some experiment and found out that:
- The behaviour of sssd (1.3.1) depends on how to create OU on LDAP
server. If OU with groups is created after all users' OUs then sssd gets everything correctly. Example: correct sequence: ou=MCC (users) ou=HMC (users) ou=GROUP-ACCESS (groups)
incorrect sequence: ou=GROUP-ACCESS (groups) ou=MCC (users) ou=HMC (users)
- sssd 1.4.x doesn't work even with correct sequence of OU creation
(see above). 3. if I remove GRP-SVC-SSH-NODE from GRP-SVC-SSH-NODE and recreate membership back then sssd will see members of GRP-SVC-SSH-NODE in GRP-SVC-SSH-NODE group but untill new installation or reinstallation of sssd.
Sorry it's taken me so long to reply. I've been able to reproduce the problem and I'm working on fixing it right now.
I have opened https://fedorahosted.org/sssd/ticket/683 to track the problem.
I take that back. I had a misconfiguration in my environment that was falsely giving me the wrong information.
I'm now actually pretty certain that you're hitting bug https://fedorahosted.org/sssd/ticket/663
What's happening is that our cleanup task (that makes sure the cache doesn't grow excessively large containing unused entries) is incorrectly cleaning out groups that only contain other groups (and no direct users).
This will be fixed in 1.5.0. (I will probably also backport the patch to 1.4.x in Fedora)
As an interim solution, please update to sssd-1.4.1-2.fc14 in updates-testing - https://admin.fedoraproject.org/updates/sssd-1.4.1-2.fc14 - and add:
ldap_purge_cache_timeout = 0
To your [domain/MD.METEORF.RU] section of sssd.conf.
If you're not using the Fedora binaries and are instead building your own copies, please cherry-pick the following patch:
commit 4f5824cf9b80dede79a6eddbcbb48f4ac75e5de4 Author: Stephen Gallagher sgallagh@redhat.com Date: Tue Nov 2 07:46:13 2010 -0400
Properly document ldap_purge_cache_timeout
Also allow it to be disabled entirely
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzixcsACgkQeiVVYja6o6PK0QCfcx42Wea3jpJPwT4ywoPD7+87 pCcAoJ7sbOaXqNrJ/UyGZIuXdR//kRvJ =Vnlx -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel