sssd sometimes ignores filter_users

[mikemikew]

I'm seeing an issue where it's like the sssd setting filter_users seems to be ignored until sssd is restarted. I was wondering if anyone else can recreate it.

I've got sssd configured to talk to an LDAP server and to filter out a bunch of users in case they exist on the LDAP server.

Code: Select all

[nss]
filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,uucp,operator,games,gopher,ftp,nobody,dbus,vcsa,abrt,haldaemon,ntp,saslauth,postfix,sshd,tcpdump,teamunix,admin,nagios,nrpe,radiusd,rpc,rpcuser,nfsnobody,apache,mysql,tomcat,tomcat7,http

For reasons completely unknown to me and beyond my control, the LDAP server does have a user called mysql with a UID of 13575. And somehow that has recently become a problem. If a local user is created it's like sssd starts ignoring the filter_users setting until sssd gets restarted. E.g.

Code: Select all

[root@neil ~]# getent passwd mysql
[root@neil ~]# useradd arhgerh
[root@neil ~]# getent passwd mysql
mysql:*:13575:1000:mysql:/home/mysql:/bin/bash
[root@neil ~]# systemctl restart sssd
[root@neil ~]# getent passwd mysql
[root@neil ~]# useradd -r arhgerherg
[root@neil ~]# getent passwd mysql
mysql:*:13575:1000:mysql:/home/mysql:/bin/bash
[root@neil ~]# systemctl restart sssd
[root@neil ~]# getent passwd mysql
[root@neil ~]# 

This is with sssd-2.2.3-20.el8.x86_64. The mysql on the LDAP server has been there for over a decade but I only realised it was there when I made an Ansible playbook for CentOS 8 that creates a local user and then subsequently installs MariaDB. The creation of the local user causes the server to start resolving the mysql LDAP user, so no local mysql user gets created by the %pre script in the mariadb-server package, then MariaDB stops working once sssd gets restarted for whatever reason.

I've got CentOS 6 and 7 servers using the LDAP server and can't recreate the problem with them.