On Wed, Feb 26, 2014 at 06:15:06PM +0100, Jakub Hrozek wrote: > On Wed, Feb 26, 2014 at 06:02:46PM +0100, Sumit Bose wrote: > > On Wed, Feb 26, 2014 at 05:55:10PM +0100, Jakub Hrozek wrote: > > > On Wed, Feb 26, 2014 at 05:42:29PM +0100, Sumit Bose wrote: > > > > On Wed, Feb 26, 2014 at 04:15:30PM +0100, Jakub Hrozek wrote: > > > > > On Tue, Feb 25, 2014 at 08:53:45PM +0100, Jakub Hrozek wrote: > > > > > > On Tue, Feb 25, 2014 at 08:39:26PM +0100, Jakub Hrozek wrote: > > > > > > > On Tue, Feb 25, 2014 at 11:58:41AM -0500, Dmitri Pal wrote: > > > > > > > > On 02/25/2014 11:11 AM, Jakub Hrozek wrote: > > > > > > > > >Hi, > > > > > > > > > > > > > > > > > >the attached patch addresses #2252. I tried to make it clear > > > > > > > > >that > > > > > > > > >removing the cache should only be done while online, but I'm > > > > > > > > >open to any > > > > > > > > >further suggestions. > > > > > > > > > > > > > > > > > > > > > > > > > > >_______________________________________________ > > > > > > > > >sssd-devel mailing list > > > > > > > > >sssd-devel@lists.fedorahosted.org > > > > > > > > >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > > > > > > > > > > > > > > > + Please note that changing the ID mapping related > > > > > > > > configuration > > > > > > > > + options might cause --->the<---- user and group IDs to > > > > > > > > change. At the moment, > > > > > > > > + SSSD does not support changing IDs, so the SSSD > > > > > > > > database must be > > > > > > > > + removed. Because cached passwords are also stored in > > > > > > > > the database, > > > > > > > > + removing the database should only be performed while > > > > > > > > the SSSD > > > > > > > > + is online, otherwise users might get locked out. > > > > > > > > > > > > > > > > I do not think you need "the" in this case. > > > > > > > > > > > > > > Thank you, a new patch is attached. I'm constantly struggling > > > > > > > with using > > > > > > > articles as Czech has no such concept :) > > > > > > > > > > > > Sorry, I attached the original patch again by accident. > > > > > > > > > > During an IRC discussion, Stephen suggested to use a bit stronger > > > > > language > > > > > (will instead of might) and to stress out that changing IDs is not a > > > > > good idea as file ownership needs to be fixed as well. > > > > > > > > > > A new patch is attached. > > > > > > > > > From d27dcb79d19076580ee689d2cd42c0bb2f9fe905 Mon Sep 17 00:00:00 2001 > > > > > From: Jakub Hrozek <jhro...@redhat.com> > > > > > Date: Tue, 25 Feb 2014 17:09:00 +0100 > > > > > Subject: [PATCH] MAN: Clarify that changing ID mapping options might > > > > > require > > > > > purging the cache > > > > > > > > > > https://fedorahosted.org/sssd/ticket/2252 > > > > > > > > > > Currently SSSD chokes when IDs of users change, we don't support ID > > > > > changes yet. Because some users were confused about the failures, this > > > > > patch adds additional clarification. > > > > > --- > > > > > src/man/include/ldap_id_mapping.xml | 11 +++++++++++ > > > > > 1 file changed, 11 insertions(+) > > > > > > > > > > diff --git a/src/man/include/ldap_id_mapping.xml > > > > > b/src/man/include/ldap_id_mapping.xml > > > > > index > > > > > 9dda399243bfd1725509c239d3358f2ef7501014..a10dcd52a1687c4d97211ebdabc77095bbfccf5a > > > > > 100644 > > > > > --- a/src/man/include/ldap_id_mapping.xml > > > > > +++ b/src/man/include/ldap_id_mapping.xml > > > > > @@ -12,6 +12,17 @@ > > > > > need to use manually-assigned values, ALL values must be > > > > > manually-assigned. > > > > > </para> > > > > > + <para> > > > > > + Please note that changing the ID mapping related > > > > > configuration > > > > > + options will cause user and group IDs to change. At the > > > > > moment, > > > > > + SSSD does not support changing IDs, so the SSSD database > > > > > must be > > > > > + removed. Because cached passwords are also stored in the > > > > > database, > > > > > + removing the database should only be performed while the SSSD > > > > > + is online, otherwise users might get locked out. Moreover, > > > > > the > > > > > > > > 'while the SSSD is online', I think this is a bit missleading because I > > > > would read this as 'SSSD has to be running' and I think this is not what > > > > you meant. Maybe to steps should be given more explicit. > > > > > > Right, I think this is because I'm too involved with the internals. > > > > > > > > > > > 1. make sure system is online and you servers are reachable > > > > 2. stop sssd > > > > 3. remove cache > > > > 4. start sssd > > > > > > Added. > > > > > > > > > > > Additionally it might be good to mention that using sss_cache to > > > > invalidate teh cache is not sufficient. > > > > > > > > bye, > > > > Sumit > > > > > > Thanks for the review, a new patch is attached. > > > > > From 014ac08946fcf2ba02f6e538e19bf233c44e53dd Mon Sep 17 00:00:00 2001 > > > From: Jakub Hrozek <jhro...@redhat.com> > > > Date: Tue, 25 Feb 2014 17:09:00 +0100 > > > Subject: [PATCH] MAN: Clarify that changing ID mapping options might > > > require > > > purging the cache > > > > > > https://fedorahosted.org/sssd/ticket/2252 > > > > > > Currently SSSD chokes when IDs of users change, we don't support ID > > > changes yet. Because some users were confused about the failures, this > > > patch adds additional clarification. > > > --- > > > src/man/include/ldap_id_mapping.xml | 39 > > > +++++++++++++++++++++++++++++++++++++ > > > 1 file changed, 39 insertions(+) > > > > > > diff --git a/src/man/include/ldap_id_mapping.xml > > > b/src/man/include/ldap_id_mapping.xml > > > index > > > 9dda399243bfd1725509c239d3358f2ef7501014..f06b52616801ca523326246cbb4d5e8b9c4de0fb > > > 100644 > > > --- a/src/man/include/ldap_id_mapping.xml > > > +++ b/src/man/include/ldap_id_mapping.xml > > > @@ -12,6 +12,45 @@ > > > need to use manually-assigned values, ALL values must be > > > manually-assigned. > > > </para> > > > + <para> > > > + Please note that changing the ID mapping related configuration > > > + options will cause user and group IDs to change. At the moment, > > > + SSSD does not support changing IDs, so the SSSD database must be > > > + removed. Because cached passwords are also stored in the > > > database, > > > + removing the database should only be performed while the > > > authentication > > > + servers are reachable, otherwise users might get locked out. It > > > is not > > > + sufficient to use > > > + <citerefentry> > > > + <refentrytitle>sss_cache</refentrytitle> > > > + <manvolnum>8</manvolnum> > > > + </citerefentry> > > > + to remove the database, rather the process > > > + consists of: > > > + <itemizedlist> > > > + <listitem> > > > + <para> > > > + Making sure the remote servers are reachable > > > + </para> > > > + <para> > > > + Stopping the SSSD service > > > + </para> > > > + </listitem> > > > + <listitem> > > > + <para> > > > + Removing the database > > > + </para> > > > + </listitem> > > > + <listitem> > > > + <para> > > > + Starting the SSSD service > > > + </para> > > > + </listitem> > > > > ah, sorry, I still have one comment, with respect to getting locked out. > > If passwords are cached the user should authenticate once to get the > > password cached, e.g by calling 'su username' but not as root. > > > > bye, > > Sumit > > OK, I added a sentence saying that authentication must be performed. > > A new patch is attached.
ACK bye, Sumit _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
