Hi,
one of the recent patches related to the changes of the sysdb calls to return ENOENT broke the flow in the lookups by SID. As a result the request always returned if no result was found in the cache instead of asking the backend. With the new flow the ldb_result has to be properly initialized (I remember there was a long discussion about it, but I can't remember the result, so I fixed it in the caller).
The verify this you need just to look up a SID with is currently not in the cache, the easiest way is to use an empty cache:
python -c "import pysss_nss_idmap; print pysss_nss_idmap.getnamebysid('S-1-5-21-3456664713-2053453454-4165325232-500')"
Without the patch only an empty list is return, with the patch the SID is properly looked up by the backend.
bye, Sumit
On (22/01/15 18:39), Sumit Bose wrote:
Hi,
one of the recent patches related to the changes of the sysdb calls to return ENOENT broke the flow in the lookups by SID. As a result the request always returned if no result was found in the cache instead of asking the backend. With the new flow the ldb_result has to be properly initialized (I remember there was a long discussion about it, but I can't remember the result, so I fixed it in the caller).
The verify this you need just to look up a SID with is currently not in the cache, the easiest way is to use an empty cache:
python -c "import pysss_nss_idmap; print pysss_nss_idmap.getnamebysid('S-1-5-21-3456664713-2053453454-4165325232-500')"
Without the patch only an empty list is return, with the patch the SID is properly looked up by the backend.
bye, Sumit
hmm, I probably did something wrong in my test (sssd + your patch) because it does not work for me.
sh$ id idmapuser01-237231 uid=1663209156(idmapuser01-237231) gid=1663200513(Domain Users) groups=1663200513(Domain Users),1663209158(idmapgroup01-237231) sh$ id idmapuser02-237231 uid=1663209157(idmapuser02-237231) gid=1663200513(Domain Users) groups=1663200513(Domain Users),1663209159(idmapgroup02-237231)
sh$ ldbsearch -H /var/lib/sss/db/cache_ADTEST.ldb -b name=idmapuser01-237231,cn=users,cn=ADTEST,cn=sysdb objectSIDString asq: Unable to register control with rootdse! # record 1 dn: name=idmapuser01-237231,cn=users,cn=ADTEST,cn=sysdb objectSIDString: S-1-5-21-1980617158-3813236253-3438683870-9156
# returned 1 records # 1 entries # 0 referrals
sh$ service sssd stop; rm -f /var/lib/sss/{db,mc}/* Redirecting to /bin/systemctl stop sssd.service sh$ service sssd start Redirecting to /bin/systemctl start sssd.service
sh$ id idmapuser02-237231 uid=1663209157(idmapuser02-237231) gid=1663200513(Domain Users) groups=1663200513(Domain Users),1663209159(idmapgroup02-237231) # sssd_be is connected now sh$ python -c "import pysss_nss_idmap; print pysss_nss_idmap.getnamebysid('S-1-5-21-1980617158-3813236253-3438683870-9156')" {}
LS
On (22/01/15 18:39), Sumit Bose wrote:
Hi,
one of the recent patches related to the changes of the sysdb calls to return ENOENT broke the flow in the lookups by SID. As a result the request always returned if no result was found in the cache instead of asking the backend. With the new flow the ldb_result has to be properly initialized (I remember there was a long discussion about it, but I can't remember the result, so I fixed it in the caller).
The verify this you need just to look up a SID with is currently not in the cache, the easiest way is to use an empty cache:
python -c "import pysss_nss_idmap; print pysss_nss_idmap.getnamebysid('S-1-5-21-3456664713-2053453454-4165325232-500')"
Without the patch only an empty list is return, with the patch the SID is properly looked up by the backend.
bye, Sumit
From b04a7814f5ca1a21c333e8e9596104a71d0720fe Mon Sep 17 00:00:00 2001 From: Sumit Bose sbose@redhat.com Date: Thu, 22 Jan 2015 18:30:04 +0100 Subject: [PATCH] nss: fix SID lookups
src/responder/nss/nsssrv_cmd.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
Sumit helped me with my issue in different mail. I was using id_provider = ldap with AD and therefore subdomain provider was not configured. Therefore I was not able to use pysss_nss_idmap.getnamebysid.
It works with id_provider = ad.
There are not warnings from static analysers. http://sssd-ci.duckdns.org/logs/job/6/59/summary.html
ACK
LS
On Fri, Jan 23, 2015 at 12:27:36PM +0100, Lukas Slebodnik wrote:
It works with id_provider = ad.
There are not warnings from static analysers. http://sssd-ci.duckdns.org/logs/job/6/59/summary.html
ACK
LS
* master: d6ddc35574ba897cf9b5de3350086d9d8604f06f * sssd-1-12: 97c0a591a1e09be520a6faaf51a4ba72d76f0c24
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Lukas Slebodnik -
Sumit Bose