On Wed, Feb 26, 2014 at 06:02:46PM +0100, Sumit Bose wrote:
> On Wed, Feb 26, 2014 at 05:55:10PM +0100, Jakub Hrozek wrote:
> > On Wed, Feb 26, 2014 at 05:42:29PM +0100, Sumit Bose wrote:
> > > On Wed, Feb 26, 2014 at 04:15:30PM +0100, Jakub Hrozek wrote:
> > > > On Tue, Feb 25, 2014 at 08:53:45PM +0100, Jakub Hrozek wrote:
> > > > > On Tue, Feb 25, 2014 at 08:39:26PM +0100, Jakub Hrozek wrote:
> > > > > > On Tue, Feb 25, 2014 at 11:58:41AM -0500, Dmitri Pal
wrote:
> > > > > > > On 02/25/2014 11:11 AM, Jakub Hrozek wrote:
> > > > > > > >Hi,
> > > > > > > >
> > > > > > > >the attached patch addresses #2252. I tried to
make it clear that
> > > > > > > >removing the cache should only be done while
online, but I'm open to any
> > > > > > > >further suggestions.
> > > > > > > >
> > > > > > > >
> > > > > > > >_______________________________________________
> > > > > > > >sssd-devel mailing list
> > > > > > > >sssd-devel(a)lists.fedorahosted.org
> > > > > > >
>https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
> > > > > > >
> > > > > > > + Please note that changing the ID mapping
related configuration
> > > > > > > + options might cause --->the<---- user
and group IDs to change. At the moment,
> > > > > > > + SSSD does not support changing IDs, so the
SSSD database must be
> > > > > > > + removed. Because cached passwords are also
stored in the database,
> > > > > > > + removing the database should only be
performed while the SSSD
> > > > > > > + is online, otherwise users might get locked
out.
> > > > > > >
> > > > > > > I do not think you need "the" in this case.
> > > > > >
> > > > > > Thank you, a new patch is attached. I'm constantly
struggling with using
> > > > > > articles as Czech has no such concept :)
> > > > >
> > > > > Sorry, I attached the original patch again by accident.
> > > >
> > > > During an IRC discussion, Stephen suggested to use a bit stronger
language
> > > > (will instead of might) and to stress out that changing IDs is not a
> > > > good idea as file ownership needs to be fixed as well.
> > > >
> > > > A new patch is attached.
> > >
> > > > From d27dcb79d19076580ee689d2cd42c0bb2f9fe905 Mon Sep 17 00:00:00
2001
> > > > From: Jakub Hrozek <jhrozek(a)redhat.com>
> > > > Date: Tue, 25 Feb 2014 17:09:00 +0100
> > > > Subject: [PATCH] MAN: Clarify that changing ID mapping options might
require
> > > > purging the cache
> > > >
> > > >
https://fedorahosted.org/sssd/ticket/2252
> > > >
> > > > Currently SSSD chokes when IDs of users change, we don't support
ID
> > > > changes yet. Because some users were confused about the failures,
this
> > > > patch adds additional clarification.
> > > > ---
> > > > src/man/include/ldap_id_mapping.xml | 11 +++++++++++
> > > > 1 file changed, 11 insertions(+)
> > > >
> > > > diff --git a/src/man/include/ldap_id_mapping.xml
b/src/man/include/ldap_id_mapping.xml
> > > > index
9dda399243bfd1725509c239d3358f2ef7501014..a10dcd52a1687c4d97211ebdabc77095bbfccf5a 100644
> > > > --- a/src/man/include/ldap_id_mapping.xml
> > > > +++ b/src/man/include/ldap_id_mapping.xml
> > > > @@ -12,6 +12,17 @@
> > > > need to use manually-assigned values, ALL values must be
> > > > manually-assigned.
> > > > </para>
> > > > + <para>
> > > > + Please note that changing the ID mapping related
configuration
> > > > + options will cause user and group IDs to change. At the
moment,
> > > > + SSSD does not support changing IDs, so the SSSD database
must be
> > > > + removed. Because cached passwords are also stored in the
database,
> > > > + removing the database should only be performed while the
SSSD
> > > > + is online, otherwise users might get locked out. Moreover,
the
> > >
> > > 'while the SSSD is online', I think this is a bit missleading
because I
> > > would read this as 'SSSD has to be running' and I think this is
not what
> > > you meant. Maybe to steps should be given more explicit.
> >
> > Right, I think this is because I'm too involved with the internals.
> >
> > >
> > > 1. make sure system is online and you servers are reachable
> > > 2. stop sssd
> > > 3. remove cache
> > > 4. start sssd
> >
> > Added.
> >
> > >
> > > Additionally it might be good to mention that using sss_cache to
> > > invalidate teh cache is not sufficient.
> > >
> > > bye,
> > > Sumit
> >
> > Thanks for the review, a new patch is attached.
>
> > From 014ac08946fcf2ba02f6e538e19bf233c44e53dd Mon Sep 17 00:00:00 2001
> > From: Jakub Hrozek <jhrozek(a)redhat.com>
> > Date: Tue, 25 Feb 2014 17:09:00 +0100
> > Subject: [PATCH] MAN: Clarify that changing ID mapping options might require
> > purging the cache
> >
> >
https://fedorahosted.org/sssd/ticket/2252
> >
> > Currently SSSD chokes when IDs of users change, we don't support ID
> > changes yet. Because some users were confused about the failures, this
> > patch adds additional clarification.
> > ---
> > src/man/include/ldap_id_mapping.xml | 39
+++++++++++++++++++++++++++++++++++++
> > 1 file changed, 39 insertions(+)
> >
> > diff --git a/src/man/include/ldap_id_mapping.xml
b/src/man/include/ldap_id_mapping.xml
> > index
9dda399243bfd1725509c239d3358f2ef7501014..f06b52616801ca523326246cbb4d5e8b9c4de0fb 100644
> > --- a/src/man/include/ldap_id_mapping.xml
> > +++ b/src/man/include/ldap_id_mapping.xml
> > @@ -12,6 +12,45 @@
> > need to use manually-assigned values, ALL values must be
> > manually-assigned.
> > </para>
> > + <para>
> > + Please note that changing the ID mapping related configuration
> > + options will cause user and group IDs to change. At the moment,
> > + SSSD does not support changing IDs, so the SSSD database must be
> > + removed. Because cached passwords are also stored in the database,
> > + removing the database should only be performed while the
authentication
> > + servers are reachable, otherwise users might get locked out. It is
not
> > + sufficient to use
> > + <citerefentry>
> > + <refentrytitle>sss_cache</refentrytitle>
> > + <manvolnum>8</manvolnum>
> > + </citerefentry>
> > + to remove the database, rather the process
> > + consists of:
> > + <itemizedlist>
> > + <listitem>
> > + <para>
> > + Making sure the remote servers are reachable
> > + </para>
> > + <para>
> > + Stopping the SSSD service
> > + </para>
> > + </listitem>
> > + <listitem>
> > + <para>
> > + Removing the database
> > + </para>
> > + </listitem>
> > + <listitem>
> > + <para>
> > + Starting the SSSD service
> > + </para>
> > + </listitem>
>
> ah, sorry, I still have one comment, with respect to getting locked out.
> If passwords are cached the user should authenticate once to get the
> password cached, e.g by calling 'su username' but not as root.
>
> bye,
> Sumit
OK, I added a sentence saying that authentication must be performed.
A new patch is attached.