UNOFFICIAL
Hi,
I've noticed a
cache issue in SSSD 1.12 on RHEL 6 after executing a global update via ansible
(ansible all -m yum -a "name=* state=latest").
Essentially
after the update, queries against the cache appear to return invalid
(incomplete) results on all 12 RHEL boxes that were
updated.
Issuing an
"sss_cache -E" does not correct the issue, but it is fixed after stopping
SSSD, deleting the DB (rm /var/lib/sss/db/*) and then restarting
SSSD.
SSSD --version appears to
report as 1.12.4 both before and after the
update.
User query after
patching:
id
"username"
uid=xxx(username)
guid=xxx(group 1) groups=xxx(group 1)
The UID and GUIDs
above are correct - but incomplete as the user is a member of 28
groups.
User query results
both before patching and after patching (after removing
/var/lib/sss/db/*)
id
"username"
uid=xxx(username)
guid=xxx(group 1) groups=xxx(group 1),xxx(group 2),xxx(group 3), xxx(group
4),
xxx(group 5),
xxx(group 5), xxx(group 6), etc
This may be related
to the same SSSD bug seen in this environment that was discussed last week
(inconsistent SSSD behaviour).
I'm hoping that 1.13
resolves this issue when RHEL 6.8 is released.
My SSSD config is
below and the entries applied as fixes for the previous issue are
bolded:
[sssd]
config_file_version = 2
debug_level = 1
domains =
<domain>
services = nss, pam,
ssh, pac, sudo
default_domain_suffix = <domain>
[domain/<domain>]
debug_level = 1
id_provider =
ad
access_provider = ad
auth_provider = ad
chpass_provider =
ad
ldap_schema = ad
ad_enable_gc =
false
# Permits offline
logins:
cache_credentials = true
default_shell =
/bin/bash
fallback_homedir = /home/%d/%u
#Use FQDN for logins
- when multiple domains share same username
use_fully_qualified_domain_names
= true
#Don't attempt to
auto update DNS records
dyndns_update = false
[ssh]
debug_level
= 1
[nss]
debug_level
= 1
filter_users = root,oracle,grid,mfe,postfix
filter_groups =
root
[pam]
debug_level
= 1
[sudo]
debug_level = 1
[pac]
debug_level
= 1