URL: https://github.com/SSSD/sssd/pull/347 Author: fidencio Title: #347: Fixes related to negative cache and "root" user/group Action: opened
PR body: """ This patch set contains a bunch of fixes in the negative cache code.
The patches were tested in an AD-trust environment and more specific instructions/details can be found below: - **NEGCACHE: Add some comments about each step of sss_ncache_prepopulate()** Just verified the comments make sense.
- **NEGCACHE: Always add "root" to the negative cache**: - Add `filter_users = foo` and `filter_groups = foo` under `[nss]` section; - Restart SSSD (`systemctl restart sssd`) and run `id root`; - Inspect sssd_nss.log, checking for the second time the users and groups are added to the negative cache;
- Without this patch: ``` (Mon Aug 14 17:09:50 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'foo' matched without domain, user is foo (Mon Aug 14 17:09:50 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/indirect.ipa.ff/foo@indirect.ipa.ff] to negative cache permanently (Mon Aug 14 17:09:50 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'bar' matched without domain, user is bar (Mon Aug 14 17:09:50 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/indirect.ipa.ff/bar@indirect.ipa.ff] to negative cache permanently ``` - With this patch: ``` (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'foo' matched without domain, user is foo (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/indirect.ipa.ff/foo@indirect.ipa.ff] to negative cache permanently (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'bar' matched without domain, user is bar (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/indirect.ipa.ff/bar@indirect.ipa.ff] to negative cache permanently (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/indirect.ipa.ff/root@indirect.ipa.ff] to negative cache permanently (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/indirect.ipa.ff/root@indirect.ipa.ff] to negative cache permanently (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain indirect.ad.ff is Active (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/indirect.ad.ff/root@indirect.ad.ff] to negative cache permanently (Mon Aug 14 17:13:31 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/indirect.ad.ff/root@indirect.ad.ff] to negative cache permanently ```
- **NEGCACHE: Add "0" to the negative cache**: - Considering the very same environment where the previous patch was applied, do: - `id 0`; - Inspect sssd_nss.log, checking for the cache req call triggered by the command above; - Without this patch: ``` (Mon Aug 14 17:19:52 2017) [sssd[nss]] [nss_getby_name] (0x0400): Input name: 0 (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #0: Setting "User by name" plugin (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #0: New request 'User by name' (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_process_input] (0x0400): CR #0: Parsing input name [0] (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name '0' matched without domain, user is 0 (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_set_name] (0x0400): CR #0: Setting name [0] (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #0: Performing a multi-domain search (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #0: Search will check the cache and check the data provider (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain indirect.ipa.ff type POSIX is valid (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #0: Using domain [indirect.ipa.ff] (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [indirect.ipa.ff] rules (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #0: Looking up 0@indirect.ipa.ff (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [0@indirect.ipa.ff] (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/indirect.ipa.ff/0@indirect.ipa.ff] (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: [0@indirect.ipa.ff] is not present in negative cache (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Looking up [0@indirect.ipa.ff] in cache (Mon Aug 14 17:19:52 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x669120 (Mon Aug 14 17:19:52 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x6691e0 (Mon Aug 14 17:19:52 2017) [sssd[nss]] [ldb] (0x4000): Running timer event 0x669120 "ltdb_callback" (Mon Aug 14 17:19:52 2017) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x6691e0 "ltdb_timeout" (Mon Aug 14 17:19:52 2017) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x669120 "ltdb_callback" (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Object [0@indirect.ipa.ff] was not found in cache (Mon Aug 14 17:19:52 2017) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #0: Looking up [0@indirect.ipa.ff] in data provider (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x416010:1:0@indirect.ipa.ff@indirect.ipa.ff] (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [indirect.ipa.ff][0x1][BE_REQ_USER][name=0@indirect.ipa.ff:-] (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x65db60 (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x416010:1:0@indirect.ipa.ff@indirect.ipa.ff] (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x65db60 (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x65c8c0 (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Mon Aug 14 17:19:52 2017) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ``` - With this patch: ``` (Mon Aug 14 17:26:17 2017) [sssd[nss]] [nss_getby_name] (0x0400): Input name: 0 (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #0: Setting "User by name" plugin (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #0: New request 'User by name' (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_process_input] (0x0400): CR #0: Parsing input name [0] (Mon Aug 14 17:26:17 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name '0' matched without domain, user is 0 (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_set_name] (0x0400): CR #0: Setting name [0] (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #0: Performing a multi-domain search (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #0: Search will check the cache and check the data provider (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain indirect.ipa.ff type POSIX is valid (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #0: Using domain [indirect.ipa.ff] (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [indirect.ipa.ff] rules (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #0: Looking up 0@indirect.ipa.ff (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [0@indirect.ipa.ff] (Mon Aug 14 17:26:17 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/indirect.ipa.ff/0@indirect.ipa.ff] (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: [0@indirect.ipa.ff] does not exist (negative cache) (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain indirect.ad.ff type POSIX is valid (Mon Aug 14 17:26:17 2017) [sssd[nss]] [cache_req_process_result] (0x0400): CR #0: Finished: Not found
```
- **NEGCACHE: Descend to subdomains when adding user/groups**: - Considering the very same environment where the previous patch was applied, do: - `id root`; - Inspect sssd_nss.log, looking for when the user `foo` and group `bar` are added to the negative cache; - Without this patch: ``` (Mon Aug 14 17:26:17 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'foo' matched without domain, user is foo (Mon Aug 14 17:26:17 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/indirect.ipa.ff/foo@indirect.ipa.ff] to negative cache permanently (Mon Aug 14 17:26:17 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'bar' matched without domain, user is bar ``` - With this patch: ``` (Mon Aug 14 17:31:54 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'foo' matched without domain, user is foo (Mon Aug 14 17:31:54 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/indirect.ipa.ff/foo@indirect.ipa.ff] to negative cache permanently (Mon Aug 14 17:31:54 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain indirect.ad.ff is Active (Mon Aug 14 17:31:54 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/indirect.ad.ff/foo@indirect.ad.ff] to negative cache permanently (Mon Aug 14 17:31:54 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'bar' matched without domain, user is bar (Mon Aug 14 17:31:54 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/indirect.ipa.ff/bar@indirect.ipa.ff] to negative cache permanently (Mon Aug 14 17:31:54 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain indirect.ad.ff is Active (Mon Aug 14 17:31:54 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/indirect.ad.ff/bar@indirect.ad.ff] to negative cache permanently ``` - **CACHE_REQ: Don't error out when searching by id = 0**: - With the very same environment, just do: - `id root`; - Inspect the sssd_nss.log, taking a look after the first cache req request; - Without this patch: ``` (Mon Aug 14 19:21:59 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain indirect.ad.ff is Active (Mon Aug 14 19:21:59 2017) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: not found (Mon Aug 14 19:21:59 2017) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0 (Mon Aug 14 19:21:59 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0! (Mon Aug 14 19:21:59 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error (Mon Aug 14 19:21:59 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data! (Mon Aug 14 19:21:59 2017) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [12]: Cannot allocate memory ``` - With this patch: ``` (Mon Aug 14 19:26:11 2017) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0 (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #1: Setting "User by ID" plugin (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #1: New request 'User by ID' (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #1: Performing a multi-domain search (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #1: Search will check the cache and check the data provider (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain indirect.ipa.ff type POSIX is valid (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #1: Using domain [indirect.ipa.ff] (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #1: Looking up UID:0@indirect.ipa.ff (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: Checking negative cache for [UID:0@indirect.ipa.ff] (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/0] (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: [UID:0@indirect.ipa.ff] is not present in negative cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Looking up [UID:0@indirect.ipa.ff] in cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x252fa20 (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x2532bc0 (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Running timer event 0x252fa20 "ltdb_callback" (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x2532bc0 "ltdb_timeout" (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x252fa20 "ltdb_callback" (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [UID:0@indirect.ipa.ff] was not found in cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #1: Looking up [UID:0@indirect.ipa.ff] in data provider (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x416030:1:*@indirect.ipa.ff] (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [indirect.ipa.ff][0x1][BE_REQ_USER][*:-] (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x252a330 (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x416030:1:*@indirect.ipa.ff] (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x252a330 (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x25238c0 (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Looking up [UID:0@indirect.ad.ff] in cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x252f960 (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x2534150 (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Running timer event 0x252f960 "ltdb_callback" (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x2534150 "ltdb_timeout" (Mon Aug 14 19:26:11 2017) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x252f960 "ltdb_callback" (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [UID:0@indirect.ad.ff] was not found in cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_ncache_add] (0x2000): CR #1: This request type does not support negative cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_global_ncache_add] (0x0400): CR #1: Adding [UID:0@indirect.ad.ff] to global negative cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_process_result] (0x0400): CR #1: Finished: Not found (Mon Aug 14 19:26:11 2017) [sssd[nss]] [memcache_delete_entry] (0x0040): Bug: invalid input! (Mon Aug 14 19:26:11 2017) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: not found ```
- **NSS: Don't error out when deleting an entry which has id = 0 from the memcache**: - Considering the very same environment, just do: - `id root`; - Inspect sssd_nss.log, looking for "Bug: invalid input!" from memcache_delete_entry; - Without this patch: ``` (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [UID:0@indirect.ad.ff] was not found in cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_search_ncache_add] (0x2000): CR #1: This request type does not support negative cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_global_ncache_add] (0x0400): CR #1: Adding [UID:0@indirect.ad.ff] to global negative cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Mon Aug 14 19:26:11 2017) [sssd[nss]] [cache_req_process_result] (0x0400): CR #1: Finished: Not found (Mon Aug 14 19:26:11 2017) [sssd[nss]] [memcache_delete_entry] (0x0040): Bug: invalid input! (Mon Aug 14 19:26:11 2017) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: not found ``` - With this patch: ``` (Mon Aug 14 19:34:08 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [UID:0@indirect.ad.ff] was not found in cache (Mon Aug 14 19:34:08 2017) [sssd[nss]] [cache_req_search_ncache_add] (0x2000): CR #1: This request type does not support negative cache (Mon Aug 14 19:34:08 2017) [sssd[nss]] [cache_req_global_ncache_add] (0x0400): CR #1: Adding [UID:0@indirect.ad.ff] to global negative cache (Mon Aug 14 19:34:08 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/UID/0] to negative cache (Mon Aug 14 19:34:08 2017) [sssd[nss]] [cache_req_process_result] (0x0400): CR #1: Finished: Not found (Mon Aug 14 19:34:08 2017) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: not found ```
- **NEGCACHE: Add root's uid/gid to ncache**: - Considering the very same environment, just do: - `id root`; - Inspect sssd_nss.log, looking for a lookup in the data provider; - Without this patch: ``` (Mon Aug 14 19:39:17 2017) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0 (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #1: Setting "User by ID" plugin (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #1: New request 'User by ID' (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #1: Performing a multi-domain search (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #1: Search will check the cache and check the data provider (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain indirect.ipa.ff type POSIX is valid (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #1: Using domain [indirect.ipa.ff] (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #1: Looking up UID:0@indirect.ipa.ff (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: Checking negative cache for [UID:0@indirect.ipa.ff] (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/0] (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: [UID:0@indirect.ipa.ff] is not present in negative cache (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Looking up [UID:0@indirect.ipa.ff] in cache (Mon Aug 14 19:39:17 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x82b230 (Mon Aug 14 19:39:17 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x825100 (Mon Aug 14 19:39:17 2017) [sssd[nss]] [ldb] (0x4000): Running timer event 0x82b230 "ltdb_callback" (Mon Aug 14 19:39:17 2017) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x825100 "ltdb_timeout" (Mon Aug 14 19:39:17 2017) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x82b230 "ltdb_callback" (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #1: Object [UID:0@indirect.ipa.ff] was not found in cache (Mon Aug 14 19:39:17 2017) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #1: Looking up [UID:0@indirect.ipa.ff] in data provider (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x415ff0:1:*@indirect.ipa.ff] (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [indirect.ipa.ff][0x1][BE_REQ_USER][*:-] (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x825330 (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x415ff0:1:*@indirect.ipa.ff] (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x825330 (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x81e8c0 (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Mon Aug 14 19:39:17 2017) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ``` - With this patch: ``` (Mon Aug 14 19:41:29 2017) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0 (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #1: Setting "User by ID" plugin (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #1: New request 'User by ID' (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #1: Performing a multi-domain search (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #1: Search will check the cache and check the data provider (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain indirect.ipa.ff type POSIX is valid (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #1: Using domain [indirect.ipa.ff] (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #1: Looking up UID:0@indirect.ipa.ff (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: Checking negative cache for [UID:0@indirect.ipa.ff] (Mon Aug 14 19:41:29 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/0] (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: [UID:0@indirect.ipa.ff] does not exist (negative cache) (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain indirect.ad.ff type POSIX is valid (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #1: Using domain [indirect.ad.ff] (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #1: Looking up UID:0@indirect.ad.ff (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: Checking negative cache for [UID:0@indirect.ad.ff] (Mon Aug 14 19:41:29 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/0] (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1: [UID:0@indirect.ad.ff] does not exist (negative cache) (Mon Aug 14 19:41:29 2017) [sssd[nss]] [cache_req_process_result] (0x0400): CR #1: Finished: Not found (Mon Aug 14 19:41:29 2017) [sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: not found ```
"""
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/347/head:pr347 git checkout pr347
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
fidencio commented: """ This patch set is missing a test case, which will be added soon following @jhrozek's on IRC, which has been copied and pasted below: ``` <jhrozek> fidencio: you could add an entry with name=root (and non-zero UID) and then an entry with uidNumber=0 (and name different from root) and check that the integration tests do not return these entries ```
"""
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-322259237
URL: https://github.com/SSSD/sssd/pull/347 Author: fidencio Title: #347: Fixes related to negative cache and "root" user/group Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/347/head:pr347 git checkout pr347
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
fidencio commented: """ I've updated the patch set adding 3 tests: - **TEST_NEGCACHE: Test that "root" is always added to ncache**: - This patch basically tests "NEGCACHE: Always add "root" to the negative cache". In order to test the patch do: - Run make check and verify it passes; - Revert "NEGCACHE: Always add "root" to the negative cache"; - Run make check and verify it fails;
- **TEST_NEGCACHE: Ensure that "0" is always added to ncache**: - This patch basically tests "NEGCACHE: Add "0" to the negative cache". In order to test the patch do: - Run make check and verify it passes; - Revert "NEGCACHE: Add "0" to the negative cache"; - Run make check and verify it fails;
- **TEST_NEGCACHE: Ensure root's uid and gid are always added to ncache**: - This patch basically tests "NEGCACHE: Add root's uid/gid to ncache". In order to test the patch do: - Run make check and verify it passes; - Revert "NEGCACHE: Add root's uid/gid to ncache"; - Run make check and verify it fails; """
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-322714081
URL: https://github.com/SSSD/sssd/pull/347 Author: fidencio Title: #347: Fixes related to negative cache and "root" user/group Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/347/head:pr347 git checkout pr347
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
fidencio commented: """ The very same issue about root being added to the negative cache happens also in sssd-1-14 branch and some of the patches will be backported (after this series gets reviewed and pushed). """
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-322741872
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
fidencio commented: """ And also in sssd-1-13 branch! """
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-322744112
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
jhrozek commented: """ The patches mostly look good and fix the issue. I have two things to ask: 1) I don't think the patches that special-case the "id 0" case are needed. If you run "id 0" and tail the NSS logs, you would see that the id utility tries to be smart and treats the numerical input as name (unlike getent passwd which tries to convert the input to an integer and if that succeeds, calls getpwuid instead of getpwnam). I'm not sure if name "0" is legal in the POSIX sense or if utilities like useradd would allow adding a user with the name "0", but I don't think we should special case this. Just the name root and the UID 0 because those have a special meaning in UNIX.
2) I wrote integration tests for this PR. Currently they would fail because they test this fix, but I think we should push them atop your patches. You can find the tests here: https://github.com/jhrozek/sssd/tree/review
If you agree, then let's push this PR and then I'll open a new PR with the tests and you can review those three test patches. """
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-324001097
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
jhrozek commented: """ Actually, one more question -- why do we descend into only active domains? I think we should set the negcache also for disabled domains. """
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-324001322
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
fidencio commented: """ @jhrozek: Let me answer your questions here ...
1. I've dropped the patches related to "0"; 2. Thanks for the integration tests. I've gone through your patches and added them on top of mines (with the Reviewed-by ...). So, if you want someone else to take a look at those, feel free to ping whoever you feel the more appropriate person would be. But, IMO, there's no need to open a new PR with those. 3. As replied in the code, we descend only into active domains because I wasn't sure whether would be a good idea to descend also into inactive domains. I've changed that already.
Thanks for the review, suggestion and patches. I'll update the PR soon. """
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-324015664
URL: https://github.com/SSSD/sssd/pull/347 Author: fidencio Title: #347: Fixes related to negative cache and "root" user/group Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/347/head:pr347 git checkout pr347
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
jhrozek commented: """ On Tue, Aug 22, 2017 at 12:48:50PM +0000, fidencio wrote:
@jhrozek: Let me answer your questions here ...
- I've dropped the patches related to "0";
- Thanks for the integration tests. I've gone through your patches and added them on top of mines (with the Reviewed-by ...). So, if you want someone else to take a look at those, feel free to ping whoever you feel the more appropriate person would be. But, IMO, there's no need to open a new PR with those.
- As replied in the code, we descend only into active domains because I wasn't sure whether would be a good idea to descend also into inactive domains. I've changed that already.
As long as the global option works for subdomains, I'm fine. The per-subdomain option can be added later, when we expose individual options for subdomains.
"""
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-324030952
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
fidencio commented: """ retest this, please """
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-324096441
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
jhrozek commented: """ CI: http://vm-058-233.XXX/logs/job/74/35/summary.html
(there was one failure related to the buggy leak check that we already track, but that's unrelated to this patch) """
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-325436934
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
jhrozek commented: """ * master: 6c3841099addb84bf3e9a2f85e96dffae1b94623 5883b99fa0d13368f6e79fdb40b6637d36ed1801 137e105ac8ca3476d2f74d24ae13860774937000 b4b3d0642120ca05f63959fe2f317a6b93031929 3ad33ca77044f9a9d18f7def271b0beb180e567b 431c7508e0d256b9c712cb9dcb9aa4cb635f4a0b 8888d7a46371ddd2c2514c3e81b58bb1090902a2 9908bdc9755e744c3e2c7c746a4edf95f9083ef5 e54764d62bfcc48770d9b2578132979aa58636e5 1e7b7da3aa56060c26f8ba1c08318cdee77753ea b54d79cf3c8017e186b5ea7cdc383746233db39b
"""
See the full comment at https://github.com/SSSD/sssd/pull/347#issuecomment-325446825
URL: https://github.com/SSSD/sssd/pull/347 Title: #347: Fixes related to negative cache and "root" user/group
Label: +Pushed
URL: https://github.com/SSSD/sssd/pull/347 Author: fidencio Title: #347: Fixes related to negative cache and "root" user/group Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/347/head:pr347 git checkout pr347
sssd-devel@lists.fedorahosted.org
-
fidencio -
jhrozek