Bug 1103249

Summary: PAC responder needs much time to process large group lists
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: ccoursey, grajaiya, jgalipea, jhrozek, jnansi, lslebodn, mkosek, mnavrati, mvarun, nsoman, parsonsa, pbrezina, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-0.2.beta1.el7 Doc Type: Bug Fix
Doc Text:
Under certain circumstances, the algorithm in the Privilege Attribute Certificate (PAC) responder component of the System Security Services Daemon (SSSD) does not effectively handle users who are members of a large number of groups. As a consequence, logging from Windows clients to Red Hat Enterprise Linux clients with Kerberos single sign-on (SSO) can be noticeably slow. There is currently no known workaround available.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:10:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1172231, 1205926    
Attachments:
Description Flags
console output none

Description Jakub Hrozek 2014-05-30 14:25:02 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2158

For example, when AD user is part of 500 groups

Comment 4 Jakub Hrozek 2016-02-22 21:19:00 UTC
*** Bug 1205926 has been marked as a duplicate of this bug. ***

Comment 5 Jakub Hrozek 2016-04-13 09:15:33 UTC
* d0d7de66c9494621c1bc12384e41e5e38a77fbeb
* c371993cce13edb9185a5f0db76fbee03f0edc04
* 1df6751f81f7d9c225463f76b9789b0cc7a0de8b
* aa0f39c7c09a55efc8d2282ca56e0e93e220aeba
* 63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4
* 28f336bdb32db0b89cb98174a3f8e308e4e928db
* 7cf0f78d832c7a09b59ee9f91cedc427c0253cd4
* cce3e8526176ce2fe9baa5bda1bb457b996b7bcf

Comment 7 Jatin Nansi 2016-08-12 03:12:34 UTC
Hello Jakub,

We have a customer running RHEL-7.2 who might benefit from this fix, can we get a test package incorporating this fix?

Thank you,
Jatin

Comment 10 Varun Mylaraiah 2016-09-22 13:52:09 UTC
Verified
ipa-client-4.4.0-7.el7.x86_64
sssd-1.14.0-15.el7.x86_64

Now response is much faster to process large group lists compare to 7.2(sssd-1.13.0-40.el7.x86_64) 
Please find the attached file which contains console output.

######## On 7.3 Client ###########

# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@host128 ~]# date; ssh -l aduser99@adtest2.qe master72.testrelm.test
Thu Sep 22 19:10:14 IST 2016
Password: 
Last login: Thu Sep 22 19:05:13 2016 from dhcp35-128.lab.eng.blr.redhat.com
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@host128 ~]# date
Thu Sep 22 19:10:31 IST 2016

[root@host128 ~]# rpm -qa ipa-client sssd
ipa-client-4.4.0-7.el7.x86_64
sssd-1.14.0-15.el7.x86_64


######## On 7.2 Client ###########
root@client72 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@client72 ~]# date
Thu Sep 22 09:08:34 EDT 2016

[root@client72 ~]# ssh -l aduser99@adtest2.qe master72.testrelm.test
Password: 
Last login: Thu Sep 22 16:55:47 2016 from auto-hv-01-guest06.idmqe.lab.eng.bos.redhat.com
-sh-4.2$ 
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@client72 ~]# date
Thu Sep 22 09:11:00 EDT 2016

[root@client72 ~]# rpm -qa ipa-client sssd
ipa-client-4.2.0-15.el7.x86_64
sssd-1.13.0-40.el7.x86_64

Comment 11 Varun Mylaraiah 2016-09-22 13:53:03 UTC
Created attachment 1203769 [details]
console output

Comment 13 errata-xmlrpc 2016-11-04 07:10:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html