diff --git a/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch b/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch new file mode 100644 index 0000000..d24d232 --- /dev/null +++ b/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch @@ -0,0 +1,56 @@ +From d0801ecbac1300978fc864ae394e6ff43dda2781 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 5 Mar 2018 21:00:30 +0100 +Subject: [PATCH] NSS: Adjust netgroup setnetgrent cache lifetime if midpoint + refresh is used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is a minor regression compared to the state of the code before we +converted the responders to cache_req. The NSS responder keeps a has +table of netgroup objects in memory for either the lifetime of the +netgroup, or, in case midpoint refresh is used, up to the midpoint +refresh time. The case with the midpoint refresh was removed in the +cache_req enabled code, which means that even if the netgroup was +updated in the cache with the background refresh task, the object was +never read from cache, but always still returned from the in-memory +enumeration hash. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3550 + +Reviewed-by: Pavel Březina +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit f22528922c065f37ca928f95fd86ed2ea79e0d51) +--- + src/responder/nss/nss_enum.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c +index da844fbce..031db9f2e 100644 +--- a/src/responder/nss/nss_enum.c ++++ b/src/responder/nss/nss_enum.c +@@ -280,7 +280,18 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev, + struct timeval tv; + uint32_t timeout; + +- timeout = enum_ctx->result[0]->domain->netgroup_timeout; ++ if (nss_ctx->cache_refresh_percent) { ++ timeout = enum_ctx->result[0]->domain->netgroup_timeout * ++ (nss_ctx->cache_refresh_percent / 100.0); ++ } else { ++ timeout = enum_ctx->result[0]->domain->netgroup_timeout; ++ } ++ ++ /* In order to not trash the cache between setnetgrent()/getnetgrent() ++ * calls with too low timeout values, we only allow 10 seconds as ++ * the minimal timeout ++ */ ++ if (timeout < 10) timeout = 10; + + tv = tevent_timeval_current_ofs(timeout, 0); + te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx); +-- +2.14.3 + diff --git a/sssd.spec b/sssd.spec index 0b7a6cc..7719d31 100644 --- a/sssd.spec +++ b/sssd.spec @@ -62,6 +62,7 @@ Patch0017: 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch Patch0019: 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch Patch0020: 0020-IPA-Qualify-the-externalUser-sudo-attribute.patch +Patch0021: 0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -1269,6 +1270,8 @@ fi - Resolves: upstream#3558 - sudo: report error when two rules share cn - Tone down shutdown messages for socket activated responders - IPA: Qualify the externalUser sudo attribute +- Resolves: upstream#3550 - refresh_expired_interval does not work with + netgrous in 1.15 * Fri Mar 30 2018 Fabiano Fidêncio - 1.16.1-2 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain