Introducing valid usernames with trailing newline characters triggers the removal of valid LDB cache entries
Reproducer:
1. Request a valid user and confirm it's cached: ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1' ad1:*:1500:1500:ad1:/home/ad:/bin/bash
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries asq: Unable to register control with rootdse! # 1 entries
2. Request an invalid username: ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1 '
3. Confirm the cache entry has disappeared: ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/sss/db/cache_UBUNTU.TEST.ldb -b name=ad1,cn=users,cn=UBUNTU.TEST,cn=sysdb | grep entries asq: Unable to register control with rootdse! # 0 entries
This is an excerpt from the logs of the request with the newline char:
(Tue Feb 28 16:07:40 2017) [sssd[be[UBUNTU.TEST]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=ad1 ]
(Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad1 )(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][CN=Users,DC=ubuntu,DC=test]. (Tue Feb 28 16:08:33 2017) [sssd[be[UBUNTU.TEST]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/UBUNTU.TEST/ad1 ] to negative cache (Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
At this point, the ldb entry removal request for ad1 (without \n) takes place via sysdb_delete_user.
Adding '\n' to the character list in sss_filter_sanitize_ex() seems to fix this issue.
Upstream bug: https://pagure.io/SSSD/sssd/issue/3317
Introducing valid usernames with trailing newline characters triggers the removal of valid LDB cache entries
Reproducer:
1. Request a valid user and confirm it's cached: 1500:ad1: /home/ad: /bin/bash
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1'
ad1:*:1500:
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/ sss/db/ cache_UBUNTU. TEST.ldb -b name=ad1, cn=users, cn=UBUNTU. TEST,cn= sysdb | grep entries
asq: Unable to register control with rootdse!
# 1 entries
2. Request an invalid username:
ubuntu@ubuntu:~⟫ sudo sss_cache -E; getent passwd 'ad1
'
3. Confirm the cache entry has disappeared: sss/db/ cache_UBUNTU. TEST.ldb -b name=ad1, cn=users, cn=UBUNTU. TEST,cn= sysdb | grep entries
ubuntu@ubuntu:~⟫ sudo ldbsearch -H /var/lib/
asq: Unable to register control with rootdse!
# 0 entries
This is an excerpt from the logs of the request with the newline char:
(Tue Feb 28 16:07:40 2017) [sssd[be[ UBUNTU. TEST]]] [be_get_ account_ info] (0x0200): Got request for [0x1001][FAST BE_REQ_ USER][1] [name=ad1
]
(Tue Feb 28 16:08:33 2017) [sssd[be[ UBUNTU. TEST]]] [sdap_get_ generic_ ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountN ame=ad1 user)(sAMAccoun tName=* )(&(uidNumber= *)(!(uidNumber= 0))))][ CN=Users, DC=ubuntu, DC=test] . UBUNTU. TEST]]] [sdap_get_ users_done] (0x0040): Failed to retrieve users set_str] (0x0400): Adding [NCE/USER/ UBUNTU. TEST/ad1 getpwnam_ search] (0x0040): No results for getpwnam call
)(objectclass=
(Tue Feb 28 16:08:33 2017) [sssd[be[
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [sss_ncache_
] to negative cache
(Tue Feb 28 16:08:33 2017) [sssd[nss]] [nss_cmd_
At this point, the ldb entry removal request for ad1 (without \n) takes place via sysdb_delete_user.
Adding '\n' to the character list in sss_filter_ sanitize_ ex() seems to fix this issue.
Upstream bug: https:/ /pagure. io/SSSD/ sssd/issue/ 3317