Learn more about these different git repos.
Other Git URLs
When sssd is online, we communicate with AD to determine the applicable GPOs, and we store the applicable gpo-guids in the sysdb cache. Later, if a GPO that was once applicable is no longer applicable, we simply retrieve a smaller set of applicable GPOs from AD. However, the problem is that we don't currently delete gpo-guids that are no longer applicable from the sysdb cache.
The result of this defect is that the gpo-guids in the sysdb cache may not correctly reflect the applicable GPOs in AD. Since we rely exclusively on the sysdb cache when we are offline, we will pick up all gpo-guids that had ever been applicable (even though some of them may have since been deleted on AD). Clearly, this is incorrect behavior.
This problem is referred to as "tattooing", and it plagued Microsoft in early implementations. If we were to mimic the solution Microsoft currently uses, we would delete all previously-stored gpo-guids from the cache, before storing fresh gpo-guids in the cache (when we are online, of course). When storing the fresh gpo-guids, we would also store fresh gpo-versions and fresh policy_file_timeouts.
Rather than deleting all previously-stored gpo-guids from the cache, we should simply delete "stale" cache entries (i.e. those cache entries that have a gpo-guid that doesn't match any of the currently applicable gpo-guids)
Fields changed
patch: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.12.1 resolution: => fixed status: new => closed
cc: => yelley
rhbz: => 0
Metadata Update from @yelley: - Issue set to the milestone: SSSD 1.12.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3473
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.