sss_nss: hang when looking up a group with stale cache entry and a LDAP provider

[gollub]

With sssd 2.10.2 I noticed hangs when invoking sudo on server which I just have been logging in. On that system with a LDAP provider configured the sudo process hang in the NSS sss module doing a query about the "docker" (492) group.
This was not seen with 2.9.6.

The nsswitch.conf holds:

group:      files [SUCCESS=merge] sss [SUCCESS=merge] systemd

What potentially contributed to this issue is following config entry in /etc/sssd/sssd.conf:

[domain/LDAP]
[...]

filter_groups = ...,docker,....

Reverting 32f5782 on top of 2.10.2 seems to resolve the issue in my testing.

I suspect the introduction of cache_req_dp_contacted() in one of the conditions prevents a "cache_req_global_ncache_add()" call, resulting in a hang.

Logs

tail -f while running:

sss_cache -E
getent group 492

sssd-2.10.2 (Bad) - hang

==> /var/log/sssd/sssd_nss.log <==
(2025-11-13 15:09:57): [nss] [sss_nss_getby_id] (0x0400): [CID#3] Input ID: 492 (looking up 'POSIX data')
(2025-11-13 15:09:57): [nss] [cache_req_search_send] (0x0400): [CID#3] CR #3: Object found, but needs to be refreshed.
(2025-11-13 15:09:57): [nss] [cache_req_search_dp] (0x0400): [CID#3] CR #3: Looking up [GID:492@LDAP] in data provider
(2025-11-13 15:09:57): [nss] [sss_dp_get_account_send] (0x0400): [CID#3] Creating request for [LDAP][0x2][BE_REQ_GROUP][idnumber=492:-]
(2025-11-13 15:09:57): [nss] [sss_nss_get_object_send] (0x0400): [CID#3] Client [0x5646f8ed7eb0][22]: sent cache request #3

==> /var/log/sssd/sssd_LDAP.log <==
(2025-11-13 15:09:57): [be[LDAP]] [sdap_print_server] (0x2000): [RID#9] Searching 192.0.2.10:389
(2025-11-13 15:09:57): [be[LDAP]] [sdap_get_generic_ext_step] (0x0400): [RID#9] calling ldap_search_ext with [(&(gidNumber=492)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=example,dc=com].
(2025-11-13 15:09:58): [be[LDAP]] [sdap_parse_entry] (0x1000): [RID#9] OriginalDN: [cn=docker,ou=groups,ou=global,dc=example,dc=com].
(2025-11-13 15:09:58): [be[LDAP]] [sysdb_store_group] (0x0400): [RID#9] Group "docker@LDAP" has been stored
(2025-11-13 15:09:58): [be[LDAP]] [dp_req_done] (0x0400): [RID#9] DP Request [Account #9]: Request handler finished [0]: Success
(2025-11-13 15:09:58): [be[LDAP]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo on /sssd from sssd.nss: Success

==> /var/log/sssd/sssd_nss.log <==
(2025-11-13 15:09:58): [nss] [sbus_dispatch] (0x4000): Dispatching.
(2025-11-13 15:09:58): [nss] [cache_req_search_ncache_filter] (0x0400): [CID#3] CR #3: [docker@LDAP] filtered out! (negative cache)
(2025-11-13 15:09:58): [nss] [cache_req_select_domains] (0x0400): [CID#3] CR #3: Performing a multi-domain search
(2025-11-13 15:09:58): [nss] [cache_req_search_domains] (0x0400): [CID#3] CR #3: Search will bypass the cache and check the data provider
(2025-11-13 15:09:58): [nss] [cache_req_set_domain] (0x0400): [CID#3] CR #3: Using domain [LDAP]
(2025-11-13 15:09:58): [nss] [cache_req_search_dp] (0x0400): [CID#3] CR #3: Looking up [GID:492@LDAP] in data provider
(2025-11-13 15:09:58): [nss] [sss_dp_get_account_send] (0x0400): [CID#3] Creating request for [LDAP][0x2][BE_REQ_GROUP][idnumber=492:-]
(2025-11-13 15:09:58): [nss] [sbus_requests_add] (0x4000): [CID#3] Chaining request: -:0:sssd.domain_LDAP:sssd.dataprovider.getAccountInfo:/sssd:1:2:idnumber=492:LDAP:(null)

---

sssd-2.9.6 (Good) - no hang

==> /var/log/sssd/sssd_nss.log <==
(2025-11-13 15:41:08): [nss] [sss_nss_getby_id] (0x0400): [CID#5] Input ID: 492 (looking up 'POSIX data')
(2025-11-13 15:41:08): [nss] [cache_req_search_send] (0x0400): [CID#5] CR #18: Object found, but needs to be refreshed.
(2025-11-13 15:41:08): [nss] [cache_req_search_dp] (0x0400): [CID#5] CR #18: Looking up [GID:492@LDAP] in data provider
(2025-11-13 15:41:08): [nss] [sss_dp_get_account_send] (0x0400): [CID#5] Creating request for [LDAP][0x2][BE_REQ_GROUP][idnumber=492:-]
(2025-11-13 15:41:08): [nss] [sss_nss_get_object_send] (0x0400): [CID#5] Client [0x55b0ddf431e0][26]: sent cache request #18

==> /var/log/sssd/sssd_LDAP.log <==
(2025-11-13 15:41:08): [be[LDAP]] [sdap_print_server] (0x2000): [RID#13] Searching 192.0.2.11:389
(2025-11-13 15:41:08): [be[LDAP]] [sdap_get_generic_ext_step] (0x0400): [RID#13] calling ldap_search_ext with [(&(gidNumber=492)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=example,dc=com].
(2025-11-13 15:41:08): [be[LDAP]] [sdap_parse_entry] (0x1000): [RID#13] OriginalDN: [cn=docker,ou=groups,ou=global,dc=example,dc=com].
(2025-11-13 15:41:08): [be[LDAP]] [sysdb_store_group] (0x0400): [RID#13] Group "docker@LDAP" has been stored
(2025-11-13 15:41:08): [be[LDAP]] [dp_req_done] (0x0400): [RID#13] DP Request [Account #13]: Request handler finished [0]: Success
(2025-11-13 15:41:08): [be[LDAP]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success

==> /var/log/sssd/sssd_nss.log <==
(2025-11-13 15:41:08): [nss] [sbus_dispatch] (0x4000): Dispatching.
(2025-11-13 15:41:08): [nss] [cache_req_search_ncache_filter] (0x0400): [CID#5] CR #18: [docker@LDAP] filtered out! (negative cache)
(2025-11-13 15:41:08): [nss] [cache_req_global_ncache_add] (0x0400): [CID#5] CR #18: Adding [GID:492@LDAP] to global negative cache
(2025-11-13 15:41:08): [nss] [cache_req_process_result] (0x0400): [CID#5] CR #18: Finished: Not found
(2025-11-13 15:41:08): [nss] [sss_nss_protocol_done] (0x4000): [CID#5] Sending reply: not found
(2025-11-13 15:41:08): [nss] [client_recv] (0x0200): [CID#5] Client disconnected!

[alexey-tikhonov]

Reverting 32f5782 on top of 2.10.2 seems to resolve the issue in my testing.

I doubt this is a single reason.

This patch was merged as a result of #6762 to sssd-2-9 as well - bc5fe9e (since 2.9.1)

But, IIRC, there is a difference that in sssd-2.10 'cache_first = true' by default, when in sssd-2.9 it is 'false'. So maybe those two changes together...

[gollub]

@alexey-tikhonov , good catch! You are right: cache_first = true in the [nss] section in sssd.conf seems to mitigate the issue for me as well. Yes, it seems to be not a single reason.

[alexey-tikhonov]

You are right: cache_first = true in the [nss] section in sssd.conf seems to mitigate the issue

Maybe 'false'?

Or, other way around, setting 'true' for sssd-2.9 should show the same issue.

[pbrezina]

There are actually multiple problems.

Steps to reproduce:

• create an LDAP group "group-1" with GID 20001
• set cache_first = true (default)
• set filter_groups = group-1
• run "getent group 20001 && sudo sss_cache -E && sleep 2 && getent group 20001"
• it will hang

(2025-11-14 12:42:21): [nss] [sss_nss_getby_id] (0x0400): [CID#6] Input ID: 987 (looking up 'POSIX data')
(2025-11-14 12:42:21): [nss] [cache_req_set_plugin] (0x2000): [CID#6] CR #40: Setting "Group by ID" plugin
(2025-11-14 12:42:21): [nss] [cache_req_send] (0x0400): [CID#6] CR #40: REQ_TRACE: New request [CID #6] 'Group by ID'
(2025-11-14 12:42:21): [nss] [cache_req_select_domains] (0x0400): [CID#6] CR #40: Performing a multi-domain search
(2025-11-14 12:42:21): [nss] [cache_req_search_domains] (0x0400): [CID#6] CR #40: Search will check the cache and bypass the data provider
(2025-11-14 12:42:21): [nss] [cache_req_validate_domain_type] (0x2000): [CID#6] Request type POSIX-only for domain ldap.test type POSIX is valid
(2025-11-14 12:42:21): [nss] [cache_req_set_domain] (0x0400): [CID#6] CR #40: Using domain [ldap.test]
(2025-11-14 12:42:21): [nss] [cache_req_search_send] (0x0400): [CID#6] CR #40: Looking up GID:987@ldap.test
(2025-11-14 12:42:21): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #40: Checking negative cache for [GID:987@ldap.test]
(2025-11-14 12:42:21): [nss] [sss_ncache_check_str] (0x2000): [CID#6] Checking negative cache for [NCE/GID/ldap.test/987]
(2025-11-14 12:42:21): [nss] [sss_ncache_check_str] (0x2000): [CID#6] Checking negative cache for [NCE/GID/987]
(2025-11-14 12:42:21): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #40: [GID:987@ldap.test] is not present in negative cache
(2025-11-14 12:42:21): [nss] [cache_req_search_cache] (0x0400): [CID#6] CR #40: Looking up [GID:987@ldap.test] in cache
(2025-11-14 12:42:21): [nss] [sysdb_get_user_members_recursively] (0x0400): [CID#6] No such entry
(2025-11-14 12:42:21): [nss] [cache_req_search_send] (0x0400): [CID#6] CR #40: Object found, but needs to be refreshed. 
(2025-11-14 12:42:21): [nss] [cache_req_search_dp] (0x0400): [CID#6] CR #40: Looking up [GID:987@ldap.test] in data provider 
(2025-11-14 12:42:21): [nss] [sss_dp_get_account_send] (0x0400): [CID#6] Creating request for [ldap.test][0x2][BE_REQ_GROUP][idnumber=987:-]
(2025-11-14 12:42:21): [nss] [sss_nss_get_object_send] (0x0400): [CID#6] Client [0x10d383b0][21]: sent cache request #40
(2025-11-14 12:42:21): [nss] [sbus_dispatch] (0x4000): Dispatching.
(2025-11-14 12:42:21): [nss] [sss_dp_get_account_done] (0x0400): [CID#6] Data Provider lookup finished
(2025-11-14 12:42:21): [nss] [cache_req_common_process_dp_reply] (0x0400): [CID#6] Data Provider lookup was successful
(2025-11-14 12:42:21): [nss] [cache_req_search_cache] (0x0400): [CID#6] CR #40: Looking up [GID:987@ldap.test] in cache 
(2025-11-14 12:42:21): [nss] [sysdb_get_user_members_recursively] (0x0400): [CID#6] No such entry
(2025-11-14 12:42:21): [nss] [cache_req_search_ncache_filter] (0x0400): [CID#6] CR #40: Filtering out results by negative cache
(2025-11-14 12:42:21): [nss] [sss_ncache_check_str] (0x2000): [CID#6] Checking negative cache for [NCE/GROUP/ldap.test/colord@ldap.test]
(2025-11-14 12:42:21): [nss] [cache_req_search_ncache_filter] (0x0400): [CID#6] CR #40: [colord@ldap.test] filtered out! (negative cache)
(2025-11-14 12:42:21): [nss] [cache_req_select_domains] (0x0400): [CID#6] CR #40: Performing a multi-domain search
(2025-11-14 12:42:21): [nss] [cache_req_search_domains] (0x0400): [CID#6] CR #40: Search will bypass the cache and check the data provider
(2025-11-14 12:42:21): [nss] [sss_ncache_check_str] (0x2000): [CID#6] Checking negative cache for [NCE/DOM_LOCATE_TYPE/ldap.test/Group by ID]
(2025-11-14 12:42:21): [nss] [cache_req_validate_domain_type] (0x2000): [CID#6] Request type POSIX-only for domain ldap.test type POSIX is valid
(2025-11-14 12:42:21): [nss] [cache_req_set_domain] (0x0400): [CID#6] CR #40: Using domain [ldap.test]
(2025-11-14 12:42:21): [nss] [cache_req_search_send] (0x0400): [CID#6] CR #40: Looking up GID:987@ldap.test
(2025-11-14 12:42:21): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #40: Checking negative cache for [GID:987@ldap.test]
(2025-11-14 12:42:21): [nss] [sss_ncache_check_str] (0x2000): [CID#6] Checking negative cache for [NCE/GID/ldap.test/987]
(2025-11-14 12:42:21): [nss] [sss_ncache_check_str] (0x2000): [CID#6] Checking negative cache for [NCE/GID/987]
(2025-11-14 12:42:21): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #40: [GID:987@ldap.test] is not present in negative cache
(2025-11-14 12:42:21): [nss] [cache_req_search_dp] (0x0400): [CID#6] CR #40: Looking up [GID:987@ldap.test] in data provider
(2025-11-14 12:42:21): [nss] [sss_dp_get_account_send] (0x0400): [CID#6] Creating request for [ldap.test][0x2][BE_REQ_GROUP][idnumber=987:-]
(2025-11-14 12:42:21): [nss] [sbus_requests_add] (0x4000): [CID#6] Chaining request: -:0:sssd.domain_ldap_2etest:sssd.dataprovider.getAccountInfo:/sssd:1:2:idnumber=987:ldap.test:(null)

1. The biggest problem is that it incorrectly chains the second DP request.
2. The GID is not added to negative cache... this is solved as side effect by fixing 1
3. The second DP lookup is not necessary since we have only single domain, in this case it should be avoided.

This is fixed by #8202

[alexey-tikhonov]

RHBZ: https://issues.redhat.com/browse/RHEL-128594

[gollub]

You are right: cache_first = true in the [nss] section in sssd.conf seems to mitigate the issue

Maybe 'false'?

Oops. Yes, I meant cache_first = false. false makes it working again.