3

I've added a user to a group in LDAP. The user shows up in ldapsearch. However, the user does not show up when I list group members on my RHEL instance using getent group my_group.

Am I correct in assuming that this is because SSSD caches group membership?

When I try to purge the SSSD cache for the group, it doesn't do anything:

# sss_cache -d LDAP -g my_group
(Mon Dec 14 10:40:41:816191 2015) [sss_cache] [confdb_get_domain_internal] (0x0010): Unknown domain [LOCAL]
(Mon Dec 14 10:40:41:816364 2015) [sss_cache] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LOCAL], skipping!
# echo $?
0

Specifically, the user still doesn't show up in the getent group my_group listing.

Why is it looking for a "LOCAL" domain when I specified the "LDAP" domain in the command?

Here's the SSSD configuration

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
debug_level = 5

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://my_hostname.my_domain.com
ldap_search_base = dc=my_domain,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

debug_level = 5

  1. Is this a bug in sss_cache?

  2. Should I just rm -f /var/lib/sss/db/cache_LDAP.ldb instead?

  3. At that point, should I just set cache_credentials = false in sssd.conf?

Leo
  • 983
  • 7
  • 21
  • 39
  • Tweaking `sssd.conf` for `entry_cache_timeout`, `enum_cache_timeout`, `cache_credentials`, `ldap_purge_cache_timeout`, and `ldap_enumeration_refresh_timeout` made the behaviour worse rather than better. However, since all I need is a list of users in a group, I just switched from `getent group my_group` to `ldapsearch -x -b "dc=my_domain,dc=com" "cn=my_group"` – Leo Dec 14 '15 at 21:28

2 Answers2

3

  1. I don't think it's a bug in sss_cache, your configuration references a domain called LOCAL, yet the domain is not defined. Just drop LOCAL from the domains line and try again..

  2. That is different. sss_cache works by setting the expiration timestamp to the past. This forces the lookup next time, but doesn't remove the entries completely, so they are still around for cases where the client would go offline

  3. That really depends on whether you want to allow your users to log in while the connection to the server is lost.

jhrozek
  • 1,370
  • 6
  • 5
1

sss_cache doesn't 'purge' the cache. It just marks the cache entries as invalid, which should trigger a refresh, at least if everything is working properly.

If you really want to purge the cache, you can delete everything in /var/lib/sss/db and restart sssd.

e.g.

# systemctl stop sssd
# cd /var/lib/sss/db
# rm *
# systemctl restart sssd
Ben Aveling
  • 125
  • 4