CacheEntryExpire setting ignored & default value of 4 hours is too low

Bug #572271 reported by Alexander Brinkman on 2010-04-30
146
This bug affects 25 people
Affects Status Importance Assigned to Milestone
likewise-open (Ubuntu)
Undecided
Gerald Carter
Lucid
Undecided
Unassigned

Bug Description

Binary package hint: likewise-open

likewise-open 5.4.0.42111-2ubuntu1 on 10.04 64 bit

The CacheEntryExpire setting seems to be ignored. I changed the setting to: "CacheEntryExpiry"=dword:0013C680 then imported the registry file and issued a lw-refresh-configuration. Cleared the cache, rebooted the machine and logged in with a domain user. This worked as expected.

Next I took the machine down, removed it from the network and booted. I was able to login used cached credentials. However 4 hours later I ran into problems. getent returned no information and logging on with the user was not allowed anymore (user not found). Since 4h (dword:00003840) is the default value it would seem that my updated entry was not picked up by lsassd.

IMPACT
======
Having a short 4h expiration period prevents laptops from being used for any length of time outside the corporate network, including even overnight. Not being able to effectively change this setting prevents the software from being deployed in enterprise environments.

TEST CASE
=========

1. Install likewise-open

2. using lwregshell, check registry value for CacheEntryExpiry:

[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]^M
"AssumeDefaultDomain"=dword:00000000^M
"CacheEntryExpiry"=dword:00003840^M

Related branches

Sorry, small typo: CacheEntryExpire should of course be CacheEntryExpiry

Pasi Sjöholm (pasi-sjoholm) wrote :

Also the default value of password cache expiring in 4 hours is too low!

It should be more like 3 months or something.. as it might be that the user has a laptop which is not going to be connected to AD for few months, but for now it's nice to see that I'm not able to login into my laptop anymore after leaving from work today as the damn 4 hours has passed.

And getting VPN working requires me to login to my account... :(

summary: - CacheEntryExpire setting ignored
+ CacheEntryExpire setting ignored & default value of 4 hours is too low
description: updated
Clayton Kramer (clayton-kramer) wrote :

This is a show stopper and will prevent deployment of Lucid laptop at our organization. I recommend increasing the default cache expiration as suggested by Pasi. Four hours is way to short and doesn't work for enterprise.

Changed in likewise-open (Ubuntu):
status: New → In Progress
assignee: nobody → Gerald Carter (coffeedude.jerry)

I have now been able to confirm the issue on 2 different machines. Both having the same problems. 4 hours after caching problems arise. Logons are no longer possible, getent stops returning information about the AD users, etc. Strange thing is though that lw-ad-cache --enum-users still provides information about the users...

Clayton Kramer (clayton-kramer) wrote :

I was looking around in the /var/lib/likewise-open/db/registry.db file and see what appears to be null entries in the regvalues1 table. Is this correct? I'm wondering if there is a problem with the values getting stored for the CacheEntryExpiry and the lsasd service is just running on magic number defaults.

sqlite> select * from regvalues1 where valuename like '%cache%';
LastUpdated|ParentId|ValueName|Type|Value
1273020388|12|CacheEntryExpiry|4|
1273020388|12|CachePurgeTimeout|4|
1273020388|12|NssGroupMembersQueryCacheOnly|4|
1273020388|12|NssUserMembershipQueryCacheOnly|4|
1273020388|12|DomainManagerUnknownDomainCacheTimeout|4|
1273020388|12|CacheType|1|s
1273020388|12|MemoryCacheSizeCap|4|
1273020389|35|NegativeCacheTimeout|4|<

Clayton Kramer (clayton-kramer) wrote :
Download full text (3.9 KiB)

Some more testing but no success.

I stopped the lsasd service, made a backup of the registry.db file and then tried manually inserting 2592000 (30 days) into the CacheEntryExpiry value.

Restarted the service and ran lw-eventlog-cli -s - localhost to see there was any change. There wasn't.

Event Description....... Likewise authentication service provider configuration settings have been reloaded.

     Authentication provider: lsa-activedirectory-provider
     Current settings are...
     Cache reaper timeout (secs): 2592000
     Cache entry expiry (secs): 14400
     Space replacement character: '^'
     Domain separator character: '\'
     Enable event log: false
     Logon membership requirements:
        <No login restrictions specified>
     Log network connection events: true
     Create K5Login file: true
     Create home directory: true
     Sign and seal LDAP traffic: false
     Assume default domain: true
     Sync system time: true
     Refresh user credentials: true
     Machine password sync lifetime: 2592000
     Default Shell: /bin/bash
     Default home directory prefix: /home
     Home directory template: %H/%D/%U
     Umask: 18
     Skeleton directory: /etc/skel
     Cell support: Unprovisioned
     Trim user membership: true
     NSS group members from cache only: false
     NSS user members from cache only: false
     NSS enumeration enabled: false
     Domain Manager check domain online (secs): 300
     Domain Manager unknown domain cache timeout (secs): 3600

Then I ran sudo lw-edit-reg and see a value change "CacheEntryExpiry"=dword:32393532

lw-refresh-configuration
Configuration successfully loaded from disk.

lw-eventlog-cli -s - localhost

========================================
Event Record: (94/97) (94 total)
========================================
Event Record ID......... 94
Event Table Category.... System
Event Type.............. Information
Event Date.............. 2010-05-04
Event Time.............. 09:42:58 PM
Event Source............ Likewise LSASS
Event Category.......... Service
Event Source ID......... 1004
Event User.............. SYSTEM
Event Computer.......... sps31-728-ckr1
Event Description....... Likewise authentication service provider configuration settings have been reloaded.

     Authentication provider: lsa-activedirectory-provider
     Current settings are...
     Cache reaper timeout (secs): 2592000
     Cache entry expiry (secs): 14400
     Space replacement character: '^'
     Domain separator character: '\'
     Enable event log: false
     Logon membership requirements:
        <No login restrictions specified>
     Log network connection events: true
     Create K5Login file: true
     Create home directory: true
     Sign and seal LDAP traffic: false
     Assume default domain: true
     Sync system time: ...

Read more...

Shane Blackett (shane-blackett) wrote :

I notice the comments in the old 5.3 versions say that the maximum for cache-entry-expiry is 1d.
I also agree that this is too short.

excerpts from a 5.3 installation /etc/likewise/lsassd.conf:

[auth provider:lsa-activedirectory-provider]

    path = /opt/likewise/lib/liblsass_auth_provider_ad.so

    # Prefix path for user's home directory
    # Note:
    # a) This is used in place of %H in the
    # homedir-template setting
    # b) Must be an absolute path
    #
    # Default: Linux: /home
    # Default: MacOS: /Users
    # Default: SunOS: /export/home
    #
    # homedir-prefix = <absolute path>

    homedir-template = %H/local/%D/%U

    # Cache entry expiration timespan
    # Default: 4h
    # Minimum: 0
    # Maximum: 1d
    cache-entry-expiry = 4h

Shane Blackett (shane-blackett) wrote :

I can confirm i am able to set the registry value in likewise-open 5.4 to 86400s (hex 15180 in lw-edit-reg) which is 1 day.
If I try for anything greater than (15180, say 15190 then when I reload the configuration it shows 14400s = 4hours as above).

So it would help if the comment documentation from the old conf file was available in the registry version somehow.

Plus I also agree that this maximum (1 day) is probably too short as I often have my laptop disconnected from the server for longer periods than this and I resort to using a different account.

John Mattox (john-mattox) wrote :

FYI, if you are changing the CacheEntryExpiry in Likewise Open 5.x you need to make note that the value fields are in hexidecimal. So if you want to change it from 4 hours to say 7 days, one would need to change it from 00003840 to 00093A80 (equals 604800 seconds or one week in decimal form).

-matt0x

I'm now testing with Carter's PPA builds. I've set my cache entry expiry to 90 days. That should be long enough for any of our laptops or less used workstations.

$ aptitude show likewise-open
Package: likewise-open
New: yes
State: installed
Automatically installed: no
Version: 5.4.0.42111-3~ppa5~lucid

$ sudo lw-edit-reg
...
[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]

"AssumeDefaultDomain"=dword:00000001

"CacheEntryExpiry"=dword:0076a700

"CachePurgeTimeout"=dword:0076a700
...

$ sudo lw-eventlog-cli -s - localhost
...
Event Description....... Likewise authentication service provider configuration settings have been reloaded.

     Authentication provider: lsa-activedirectory-provider
     Current settings are...
     Cache reaper timeout (secs): 2592000
     Cache entry expiry (secs): 14400
...

Andre Jochems (andre-jochems) wrote :

Hi,
I installed the last build (5.4.0.42111-3~ppa5~lucid) and tried to change the "CacheEntryExpiry" to a value larger than 1 day but it gets ignored. Since i now need to be connected to a vpn to be able to login i gets very difficult because i need to be logged in to connect to the vpn.

Kind of urgently waiting for a solution to this problem .... :)

Hi Gerald,

Any update on the progress being made on this bug. We can't upgrade our laptop users to Lucid until this enterprise show-stopper gets fixed.

Thanks for your time and effort. It is appreciated.

John Mattox (john-mattox) wrote :

It would be nice if the documentation on the website specified that the values are non only in Hex but also anything over 24 hours is ignored. That would have saved me a lot of time and effort. What would be even nicer is if the developers fixed this to allow caching greater than a 24 hr period. This is such an awesome package, however, this issue has remained for at least a month now.

Apologies. I'll have a fix in place for testing from the PPA sometime next week.

John Mattox (john-mattox) wrote :

That is good news Gerald. Thanks for your diligence in getting this resolved. This is some very nice and useful software. Thanks for the communication. -Mattox

Marc Gariépy (mgariepy) wrote :

Just uploaded new ppa build in my ppa adding a changing AD_CACHE_ENTRY_EXPIRY_MAXIMUM_SECS to 365 days instead of only one.

now it let me set the value up to 365 days.
* see debian/patches/correcting-maximum-cache.diff

https://launchpad.net/~mgariepy/+archive/ppa

Paul Webster (pwebster) wrote :

Thanks Marc-
That is good news. If I have the likewise-open ppa installed already will it mess things up to add your ppa to my sources list? I already have
http://ppa.launchpad.net/likewise-open/ppa/ubuntu lucid main

Thanks for your work on this. It makes a difference.

Marc Gariépy (mgariepy) wrote :

Hi Paul,

I don't think I will have to push another version but i cannot be sure.
And i don't know what package I might add in my ppa either.
You probably should create a ppa for your account copy the pacakage and use it.

Hopefully Gerald Carter will review my patch and upload it in likewise-open ppa.

Thanks.

Paul Webster (pwebster) wrote :

Marc-
I don't know anything about making my own ppa. Sounds like some reading I could do this weekend. So, if I made my own ppa, copied the package from your ppa to my own, then would I unsubscribe from the likewise-open ppa and subscribe to my own or would I stay subscribed to both?

Thanks for your help. I appreciate the work that guys like you and Gerald put into this. It makes life workable for peons like me.

pw

Gerald, any update on the PPA release with the fix?

Thanks.

Thank you Marc for posting your PPA. I restarted the lsassd service after upgrading to the ppa6 version and now the "Cache entry expiry" shows the hex changes I've made using lw-edit-reg.

-- Before --
Event Record ID......... 155
Event Table Category.... System
Event Type.............. Information
Event Date.............. 2010-06-08
Event Time.............. 09:46:22 AM
Event Source............ Likewise LSASS
Event Category.......... Service
Event Source ID......... 1004
Event User.............. SYSTEM
Event Computer.......... sps31-728-ckr1
Event Description....... Likewise authentication service provider configuration settings have been reloaded.

     Authentication provider: lsa-activedirectory-provider
     Current settings are...
     Cache reaper timeout (secs): 2592000
     Cache entry expiry (secs): 14400

-- After --
Event Record ID......... 162
Event Table Category.... System
Event Type.............. Information
Event Date.............. 2010-06-08
Event Time.............. 10:45:44 AM
Event Source............ Likewise LSASS
Event Category.......... Service
Event Source ID......... 1004
Event User.............. SYSTEM
Event Computer.......... sps31-728-ckr1
Event Description....... Likewise authentication service provider configuration settings have been reloaded.

     Authentication provider: lsa-activedirectory-provider
     Current settings are...
     Cache reaper timeout (secs): 2592000
     Cache entry expiry (secs): 2592000

I really hope this bug fix can receive some priority escalation for release Lucid production updates. LW is very cool software and a provides real opportunity to get more business users on Ubuntu. Not being able to take an Likewise-open enable Ubuntu LTS laptop off the Active Directory network for less than a few hours is a basic failure for enterprise users.

Gerald, Marc, please let me know if there is any additional testing I can do to help move things along.

All,

Looks like the fix is in testing. I received a reply on the Likewise Open forum covering the same bug.

http://www.likewise.com/community/index.php/forums/viewthread/697/

Have a fix in the likewise-open-dev PPA (5.4.0.42111-3~ppa6~lucid)

Changed in likewise-open (Ubuntu):
status: In Progress → Fix Committed
Pasi Sjöholm (pasi-sjoholm) wrote :

As the fix works ok, any estimate when we will see this update on lucid-updates?

Any update on Pasi's question about release to lucid-updates?

description: updated
Jonathan Carter (jonathan) wrote :

This seems to have regressed, it's still a problem in likewise-open in Natty.

Scott Salley (ssalley) wrote :

I'll look into this -- we call it the 'laptop scenario' we did test it at various points in the development cycle, but perhaps something broke it.

But the CacheEntryExpire setting should not determine whether you can log in when offline. It is to determine whether we try to update values from AD. Many APIs request information about a user -- just doing an 'ls' will cause user lookups. If we did a network traversal each time you would suffer horrendous performance. So we cache the values and update them every so often. I think newer releases may have lowered the expiry to a handful of minutes.

If you are offline, then expired cache entries are just supposed to be used since there is nothing better.

Scott Salley (ssalley) wrote :

About 24 hours ago, I installed likewise-open on Natty, joined a domain, logged in as a domain user through ssh, logged out, and then disconnected the network cable.

A few minutes ago, I successfully logged into the box as the same domain user.

The 'laptop' scenario does not seem to have regressed in Natty.

tags: added: testcase
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in likewise-open (Ubuntu Lucid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers