Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-56352

Disable shadow-utils/SSSD integration by default

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-9.5.z
    • rhel-9.5
    • shadow-utils
    • None
    • shadow-utils-4.9-10.el9_5
    • No
    • Moderate
    • ZStream
    • rhel-sst-idm-sssd
    • ssg_idm
    • 3
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Approved Blocker
    • Bug Fix
    • Hide
      .Integration between `shadow-utils` and `sss_cache` for local user caching is disabled

      In RHEL 9, the SSSD implicit `files` provider domain, which retrieves user information from local files such as `/etc/shadow` and group information from `/etc/groups`, was disabled by default. However, the integration in `shadow-utils` was not fully disabled, which resulted in calls to `sss_cache` when adding or deleting local users. The unnecessary cache updates caused performance issues for some users. With this update, the `shadow-utils` integration with `sss_cache` is fully disabled, and the performance issues caused by unnecessary cache updates no longer occur.
      Show
      .Integration between `shadow-utils` and `sss_cache` for local user caching is disabled In RHEL 9, the SSSD implicit `files` provider domain, which retrieves user information from local files such as `/etc/shadow` and group information from `/etc/groups`, was disabled by default. However, the integration in `shadow-utils` was not fully disabled, which resulted in calls to `sss_cache` when adding or deleting local users. The unnecessary cache updates caused performance issues for some users. With this update, the `shadow-utils` integration with `sss_cache` is fully disabled, and the performance issues caused by unnecessary cache updates no longer occur.
    • Done
    • None

      Since SSSD doesn't enable 'files provider' by default on RHEL9, existing integration (user add/del calling 'sss_cache' for every local user operation) does more harm than good.

       

      The proposal is to have RHEL9 specific downstream patch to change

      https://github.com/shadow-maint/shadow/blob/5c0b99c77e3963cc3d4ee4980b0bb3c9955c032c/lib/sssd.c#L29

      to point to a not-existing-by-default script (for example: '/usr/sbin/sss_cache_shadow_utils' )

      This would make `sssd_flush_cache()` a no-op in default install.

      For a (very) unlikely case where user intentionally configures/enabled SSSD 'files provider' and really needs thisintegration, they could create a link
      '/usr/sbin/sss_cache_shadow_utils' pointing to 'sss_cache' to get the functionality back. This should be documented in RNs.

              ipedrosa@redhat.com Iker Pedrosa
              atikhono@redhat.com Alexey Tikhonov
              Iker Pedrosa Iker Pedrosa
              Anuj Borah Anuj Borah
              Dominika Borges Dominika Borges
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: