On Mon, Sep 24, 2018 at 06:52:50PM +0000, Beale (US), Gareth wrote:
>The way the code is currently written is, if there is a
duplicate:
> - check if the "new" group has the same SID, uniqueID or original DN
> as the "old" one
> - yes, same: this is a rename, allow
> - no, different: this is a duplicate, error
I'm not clear on the start of this flow - what is meant by "if there is a
duplicate"?
What I see on the affected system is e.g.:
getent group abcd..1
abcd..1 :*:1234:<userlist for abcd..1>
getent group 1234
(returns same entry as for abcd..1)
Oddly, if I then:
getent group abcd..2
abcd..2 :*:1234:<userlist for abcd..2>
getent group 1234
(returns same entry as for abcd..1 - not abcd..2)
This is most probably returned from the memory cache. If you call
SSS_NSS_USE_MEMCACHE=no getent group 1234
I would expect that you see the empty results always after
'getent group abcd..2' is called because the request will now go
directly to the SSSD nss responder where the duplicate GID is detected.
bye,
Sumit
>
> However, at some point the cache gets into a state whereby:
>
> getent group 1234
> (returns empty result and also the duplicate GID error message in system log)
> a subsequent "getent group abcd..N" will also generally return the empty
result. However if I script a getent of every suffixed group, each time followed by a
getent of the GID, eventually it "kicks loose" and reverts to the initial state.
It doesn't last very long however. General system activity seems to return it to the
"stuck cache" before too long. Since we have multiple split groups, this can be
happening simultaneously for multiple groups.
>
> Gareth
>
>
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhrozek@redhat.com]
> Sent: Monday, September 24, 2018 10:59 AM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] Re: Issues with SSSD cache on version 1.13.4
>
> On Mon, Sep 24, 2018 at 10:22:35AM -0400, Simo Sorce wrote:
> > > btw it’s a good question to ask why isn’t the check done on saving
> > > the group. I thought it was and I see code that checks for ID
> > > uniqueness and even a test..
> >
> > In current code, saving would override data as if the group was
> > renamed changed I think ?
>
> The way the code is currently written is, if there is a duplicate:
> - check if the "new" group has the same SID, uniqueID or original DN
> as the "old" one
> - yes, same: this is a rename, allow
> - no, different: this is a duplicate, error
_______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an
email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...