Bug 1020905

Summary: Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM.
Product: Red Hat Enterprise Linux 6 Reporter: pgustafs
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.4CC: ekeck, grajaiya, jgalipea, jkurik, lslebodn, mkosek, nsoman, pbrezina, sgadekar, sgoveas
Target Milestone: rcKeywords: Reopened, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-130.el6 Doc Type: Bug Fix
Doc Text:
Cause: The sss_useradd and sss_groupadd tools scan the ID space for system accounts as configured by /etc/login.defs rather aggresivelly, looking for an unused ID. At the same time, the subdomain code didn't honor the min_id/max_id settings, so even setting a high min_id didn't help. Consequence: Adding a system account using the sss_useradd or sss_groupadd tools took very long time as sssd was being hammered with getpwuid()/getgrgid() requests. Fix: The subdomain code was fixed to honor the min_id/max_id configuration options. Result: If the sssd is properly configure with min_id options, scanning the ID space is rather fast. At the same time, future versions of shadow-utils will scan the ID space more efieciently.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:46:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1028046    

Description pgustafs 2013-10-18 13:35:12 UTC 
Description of problem:Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured is configured in the IdM..


Version-Release number of selected component (if applicable):
sssd-1.9.2-82.7.el6_4.x86_64
sssd-client-1.9.2-82.7.el6_4.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IdM and setup an AD trust.
2. Register an IdM client to the IdM server.
3. Create an system account
useradd -r username
groupadd -r groupname

Actual results:
Takes up to 10 minutes to create the group or user


Expected results:


Additional info:
Comment 2 Jakub Hrozek 2013-10-18 13:54:45 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2123
Comment 3 Jakub Hrozek 2013-10-18 13:56:57 UTC 
To reproduce: On a system that is a client of IPA server that trusts an AD, run:

groupadd -r testgroup

The -r is important as it causes the groupadd to call getgrgid for all GIDs below 1000. The bug in sssd is that we don't inherit parent domain's min_id/max_id if set.
Comment 8 Jakub Hrozek 2013-10-24 14:16:59 UTC 
Fixed upstream:
    master: e4a731167c210a6e57e68f451361f270337b1eed
    sssd-1-11: 8a5b0728ed6ed5deb6ad53cd4ccb23121babfd0c
Comment 13 Jakub Hrozek 2013-11-06 17:35:33 UTC 
This issue only affects IPA clients in a trust setup.

On the client, set min_id = 1001. Run "useradd -r username" or "groupadd -r groupname".

With unpatched client, the useradd or groupadd command will take a long time as useradd/groupadd will hammer SSSD, scanning the ID space for a free ID between 1 and 1000.

The patched packages should honor min_id even for subdomains and running useradd/groupadd should be fast.
Comment 18 Steeve Goveas 2014-07-30 11:37:03 UTC 
* On IPA server

[root@hp-ms-01-c21 ~]# ipa host-find hp-ms-01-c11 --pkey-only
--------------
1 host matched
--------------
  Host name: hp-ms-01-c11.testrelm.test
----------------------------
Number of entries returned 1
----------------------------

[root@hp-ms-01-c21 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
                          S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
                          S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@hp-ms-01-c21 ~]# getent passwd aduser1
aduser1:*:1148401313:1148401313:ads user:/home/adtest.qe/aduser1:

* On IPA Client

[root@hp-ms-01-c11 ~]# hostname
hp-ms-01-c11.testrelm.test

[root@hp-ms-01-c11 ~]# getent passwd aduser1
aduser1:*:1148401313:1148401313::/home/adtest.qe/aduser1:

[root@hp-ms-01-c11 ~]# time useradd -r sysuser2; time groupadd -r sysgrp2

real	0m10.926s
user	0m0.095s
sys	0m0.307s

real	0m3.856s
user	0m0.073s
sys	0m0.164s

* Verified in version
[root@hp-ms-01-c11 ~]# rpm -q sssd sssd-client
sssd-1.11.6-12.el6.x86_64
sssd-client-1.11.6-12.el6.x86_64
Comment 19 errata-xmlrpc 2014-10-14 04:46:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html