after upgrading to bionic, my session forgets who I am frequently

Bug #1807246 reported by Luke Schierer on 2018-12-06
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned

Bug Description

I configured sssd on an Ubuntu 16.04 LTS system, and it worked just fine. In fact, using the same sssd.conf file (which is managed by puppet) on un-upgraded system continues to work fine.

However, after upgrading to 18.04.1 LTS, I find that the system is continuously forgetting who I am. After a few commands, or a few minutes (I'm not sure exactly how many, but around 3-5 minutes) if I try to run sudo or whoami, it says that I am an unknown user. for example,

```
whoami
whoami: cannot find name for user ID 2000: Unknown error 1432158300
```

if I run the id command on my username, it returns the correct results, and whoami/sudo/other restricted commands will work again for a short time before forgetting who I am again.

In the sssd_nss.log file, I see the lookup against the @local domain, but I do not see a related lookup in the ldap domain either in that log file or in the log file specific to the ldap domain.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: sssd 1.16.1-1ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-42.45-generic 4.15.18
Uname: Linux 4.15.0-42-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
Date: Thu Dec 6 12:30:43 2018
Ec2AMI: ami-ea677d80
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1c
Ec2InstanceType: t2.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
SourcePackage: sssd
UpgradeStatus: Upgraded to bionic on 2018-10-04 (63 days ago)

Luke Schierer (luke-ubuntu) wrote :

Hi the only thing that comes to my mind would be the default values of the enumeration cache timeouts. those are in the 2-5 minute range.

Check [1] for enum_cache_timeout and related entries.
Maybe create a script that does "while true; sleep 10s; date; check UID; done"
Then you can check how long it takes to forget in your case.
Bump all kind of these timeouts and repeat.
If it helps take them back one by one until you have found which timeout it is in your case.
Then we would at least already know which sub-cache it is that forgets your user.

You could also play with the "enumerate" option in general.
What have you set atm, how does it behave when you switch it to the other value .
Something like [3] could be related to that.

Also could you check your logs if it could be anything like [2] as it reads very similar.

I also asked a friend actually knowing sssd better than I do, maybe he has some hints later on.

[1]: http://manpages.ubuntu.com/manpages/bionic/man5/sssd.conf.5.html
[2]: https://www.linuxquestions.org/questions/linux-server-73/sssd-forgets-group-name-4175577727/
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1359208

Changed in sssd (Ubuntu):
status: New → Incomplete
Luke Schierer (luke-ubuntu) wrote :
Download full text (3.3 KiB)

I have verified there is no overlap in UIDs, so I don't think the linuxquestions.org problem applies.

it apparently forgets a lot faster than I was realizing, I just don't use commands that matter fast enough to notice:

```
luke@schierer@talemludum001:~$ !id
id luke@schierer
uid=2000(luke@schierer) gid=100(users) groups=100(users),2(bin),200,3(sys),10(uucp),60(games),4(adm),50(staff),27(sudo),40(src),37(operator),6(disk),110(uuidd),1(daemon),102(systemd-network),24(cdrom),29(audio)
luke@schierer@talemludum001:~$ for i in `seq 1 1000`; do date; whoami; sleep 10s; done
Fri Dec 7 07:52:19 EST 2018
luke@schierer
Fri Dec 7 07:52:29 EST 2018
luke@schierer
Fri Dec 7 07:52:39 EST 2018
luke@schierer
Fri Dec 7 07:52:49 EST 2018
luke@schierer
Fri Dec 7 07:52:59 EST 2018
luke@schierer
Fri Dec 7 07:53:09 EST 2018
luke@schierer
Fri Dec 7 07:53:19 EST 2018
luke@schierer
Fri Dec 7 07:53:29 EST 2018
luke@schierer
Fri Dec 7 07:53:39 EST 2018
luke@schierer
Fri Dec 7 07:53:49 EST 2018
luke@schierer
Fri Dec 7 07:53:59 EST 2018
luke@schierer
Fri Dec 7 07:54:09 EST 2018
luke@schierer
Fri Dec 7 07:54:19 EST 2018
luke@schierer
Fri Dec 7 07:54:29 EST 2018
luke@schierer
Fri Dec 7 07:54:39 EST 2018
luke@schierer
Fri Dec 7 07:54:49 EST 2018
luke@schierer
Fri Dec 7 07:54:59 EST 2018
luke@schierer
Fri Dec 7 07:55:09 EST 2018
luke@schierer
Fri Dec 7 07:55:19 EST 2018
luke@schierer
Fri Dec 7 07:55:29 EST 2018
luke@schierer
Fri Dec 7 07:55:39 EST 2018
luke@schierer
Fri Dec 7 07:55:49 EST 2018
luke@schierer
Fri Dec 7 07:55:59 EST 2018
luke@schierer
Fri Dec 7 07:56:09 EST 2018
luke@schierer
Fri Dec 7 07:56:19 EST 2018
luke@schierer
Fri Dec 7 07:56:29 EST 2018
luke@schierer
Fri Dec 7 07:56:39 EST 2018
luke@schierer
Fri Dec 7 07:56:49 EST 2018
luke@schierer
Fri Dec 7 07:56:59 EST 2018
luke@schierer
Fri Dec 7 07:57:09 EST 2018
whoami: cannot find name for user ID 2000: Unknown error 1432158300
Fri Dec 7 07:57:19 EST 2018
whoami: cannot find name for user ID 2000: Unknown error 1432158300
^C
luke@schierer@talemludum001:~$
```

a redacted sssd.conf (for domain names and such)

```
luke@schierer@talemludum001:~$ sudo cat /etc/sssd/sssd.conf
# Managed by Puppet.

[sssd]
services = nss, pam, sudo
domains = local, bramlet, ciziunas, schierer

[nss]
debug_level = 6
enum_cache_timeout = 300

[domain/local]
id_provider = local
enumerate = true
max_id = 1000

[domain/bramlet]
id_provider = ldap
enumerate = true
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://censor001.<domain>
ldap_search_base = ou=bramlet,dc=....
ldap_tls_reqcert = allow
cache_credentials = true
use_fully_qualified_names = true

[domain/ciziunas]
id_provider = ldap
enumerate = true
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://censor001.<domain>
ldap_search_base = ou=ciziunas,....
ldap_tls_reqcert = allow
cache_credentials = true
use_fully_qualified_names = true

[domain/schierer]
debug_level = 6
id_provider = ldap
enumerate = true
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://censor001.<domain>
ldap_search_base = ou=schierer,dc=....
ldap_tls_reqcert = allow
cache_credentials = true
use_fully_qualified_names = true

luke@schierer@talemlud...

Read more...

Luke Schierer (luke-ubuntu) wrote :

actually, that is right on 300, isn't it? anyway, as I said, while I will manipulate the cache values, it shouldn't be necessary. This is a regression.

Luke Schierer (luke-ubuntu) wrote :

I changed enum_cache_timeout to 600 and set entry_cache_timeout = 200 in the [domain/schierer] section of the above sssd.conf file. Despite that, it still starts stating I am unknown around 320 seconds ( I have 316 seconds worth of successful "whoami ; sleep 10s" loop iterations, I know it took a couple of seconds to type that loop up and hit enter from when I initially ran the id command.)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.