Returning to the configuration without "ldap_initgroups_use_matching_rule_in_chain = False" but with "ldap_purge_cache_timeout = 3" and "ldap_enumeration_refresh_timeout = 3" I captured sssd logs at debug_level 0x0ff0 and compared a sequence immediately after which "groups" reported only one group --- the "bad" sequence --- with a sequence immediately after which "groups" reported all groups --- the "good" one. Here is the diff between these two sequences of log entries.
In the "bad" case sssd calls ldap_search_ext and receives no error code. In the "good" case it doesn't call ldap_search_ext but, I am wildly guessing, returns values from a cache which has been filled with the correct information by means of a periodic enumeration. I am wildly guessing further that the error condition reported by Samba 4 is getting lost on its way back to sssd, so sssd just thinks that foo is a member of no groups beyond foo's primary group. --- bad1 2012-10-03 09:49:22.755381392 +0200 +++ good2 2012-10-03 09:56:59.587392279 +0200 @@ -6,15 +6,6 @@ [sysdb_search_user_by_uid] (0x0400): No such entry [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success -[be_get_account_info] (0x0100): Got request for [3][1][name=foo] -[sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=cmpny,dc=nl] -[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(msSFU30Name=foo)(objectclass=person))][dc=cmpny,dc=nl]. -[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set -[sdap_save_user] (0x0400): Storing info for user foo -[sdap_get_ad_match_rule_initgroups_next_base] (0x0400): Searching for groups with base [dc=cmpny,dc=nl] -[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(member:1.2.840.113556.1.4.1941:=CN=Foo Doo,OU=Organization,DC=cmpny,DC=nl)(objectClass=group))][dc=cmpny,dc=nl]. -[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set -[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success [be_pam_handler] (0x0100): Got request with the following data [pam_print_data] (0x0100): command: PAM_ACCT_MGMT [pam_print_data] (0x0100): domain: SAMBA @@ -28,7 +19,7 @@ [pam_print_data] (0x0100): newauthtok type: 0 [pam_print_data] (0x0100): newauthtok size: 0 [pam_print_data] (0x0100): priv: 1 -[pam_print_data] (0x0100): cli_pid: 6632 +[pam_print_data] (0x0100): cli_pid: 6681 [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it. [be_pam_handler_callback] (0x0100): Sending result [0][SAMBA] @@ -46,7 +37,7 @@ [pam_print_data] (0x0100): newauthtok type: 0 [pam_print_data] (0x0100): newauthtok size: 0 [pam_print_data] (0x0100): priv: 1 -[pam_print_data] (0x0100): cli_pid: 6632 +[pam_print_data] (0x0100): cli_pid: 6681 [be_pam_handler] (0x0100): Sending result [0][SAMBA] [be_pam_handler] (0x0100): Got request with the following data [pam_print_data] (0x0100): command: PAM_CLOSE_SESSION @@ -61,6 +52,6 @@ [pam_print_data] (0x0100): newauthtok type: 0 [pam_print_data] (0x0100): newauthtok size: 0 [pam_print_data] (0x0100): priv: 1 -[pam_print_data] (0x0100): cli_pid: 6632 +[pam_print_data] (0x0100): cli_pid: 6681 [be_pam_handler] (0x0100): Sending result [0][SAMBA] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1049186 Title: sssd sometimes forgets all but one group memberships of a user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1049186/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
