Bug 1127270
| Summary: | sssd connect to ipa-server is long | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> | ||||||
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | ||||||
| Severity: | urgent | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 6.6 | CC: | dpal, dspurek, ebenes, grajaiya, jgalipea, lslebodn, mkosek, nsoman, pbrezina, preichl, tlavigne | ||||||
| Target Milestone: | rc | Keywords: | Regression | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | sssd-1.11.6-27.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2014-10-14 04:49:22 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
David Spurek
2014-08-06 13:53:52 UTC
Please attach all logs, especially ldap_child.log with debug_level=10 and also output of ldapsearch using -Y GSSAPI with KRB5_TRACE=/dev/stderr By the way there is no reason to use sudo_provider=ldap in 6.6, you should use sudo_provider=ipa (which would re-use existing connection). And lastly -- because you set the Regression keyword, please make sure that simple downgrading to the 6.5 packages *on the same host, using the same keytab* makes the problem go away. Thanks, I know that sudo_provider=ipa is supported in rhel 6.6 but some customers may use old setup and only update sssd. Then they will hit this issue. I try downgrade to sssd-1.9.2-129.el6 and it works fine, immediately connects to ipa-server. Created attachment 924785 [details]
ldap_child.log
ldap_child.log with debug_level=10
Created attachment 924787 [details]
ldap.log for KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI
The problem is a race condition between initial sudo full refresh and subdomains refresh task. David has sudo configured with ldap provider and the rest uses ipa (i.e. pre 1.9 sudo configuration). Sudo full refresh tries to acquire TGT but before it finish subdomains refresh invokes the same operation. The first one finishes successfully but the second one will fail with "Failed to init ccache: Internal credentials cache error" since the credentials cache is just being initialized. Thus the provider goes offline which creates the 60 seconds delay. There is no problem with improved 1.11 configuration but we need to fix it. (In reply to Pavel Březina from comment #11) > There is no problem with improved 1.11 configuration but we need to fix it. OK, I'll clone upstream. Please take the ticket upstream if you have an idea on solving this. Upstream ticket: https://fedorahosted.org/sssd/ticket/2410 * master
* 5c075562ac687f7102c7c940fec2e82da378bfff
* ad9d65039fd15a9b63b5772c0c4cdc29ffac93fa
* sssd-1-11:
* 1cd03a904769a23c624abcfc6916f767f993d60d
* 485c915767f060c577f181a21f02991f5e7b190f
Taking steps as below using sssd-1.11.6-28.el6.x86_64 ipa-server-3.0.0-42.el6.x86_64 Installed ipa server then followed commands below - based on test script mentioned in comment 10: # kinit admin Password for admin: # ipa hostgroup-add --desc="test hostgroup 1" hostgrp1 -------------------------- Added hostgroup "hostgrp1" -------------------------- Host-group: hostgrp1 Description: test hostgroup 1 # ipa hostgroup-add-member --hosts=idm-qe-03.testrelm.test hostgrp1 Host-group: hostgrp1 Description: test hostgroup 1 Member hosts: idm-qe-03.testrelm.test ------------------------- Number of members added 1 ------------------------- # ipa sudorule-add sudorule1 --------------------------- Added Sudo Rule "sudorule1" --------------------------- Rule name: sudorule1 Enabled: TRUE # ipa user-add --first=test --last=user2 --cn=tuser2 --email=tuser2 --random tuser2 ------------------- Added user "tuser2" ------------------- User login: tuser2 First name: test Last name: user2 Full name: tuser2 Display name: test user2 Initials: tu Home directory: /home/tuser2 GECOS field: test user2 Login shell: /bin/sh Kerberos principal: tuser2 Email address: tuser2 Random password: niY8WJ1s2U5g UID: 609800001 GID: 609800001 Password: True Kerberos keys available: True # ipa sudorule-add-user --users=tuser2 sudorule1 Rule name: sudorule1 Enabled: TRUE Users: tuser2 ------------------------- Number of members added 1 ------------------------- # ipa sudorule-add-host --hostgroups=hostgrp1 sudorule1 Rule name: sudorule1 Enabled: TRUE Users: tuser2 Host Groups: hostgrp1 ------------------------- Number of members added 1 ------------------------- [root@idm-qe-03 ~]# ipa sudocmd-add "/bin/date" ------------------------------ Added Sudo Command "/bin/date" ------------------------------ Sudo Command: /bin/date # ipa sudorule-add-allow-command sudorule1 --sudocmds="/bin/date" Rule name: sudorule1 Enabled: TRUE Users: tuser2 Host Groups: hostgrp1 Sudo Allow Commands: /bin/date ------------------------- Number of members added 1 ------------------------- # ipa hostgroup-show hostgrp1 Host-group: hostgrp1 Description: test hostgroup 1 Member hosts: idm-qe-03.testrelm.test Member of Sudo rule: sudorule1 # ipa sudorule-show sudorule1 Rule name: sudorule1 Enabled: TRUE Users: tuser2 Host Groups: hostgrp1 Sudo Allow Commands: /bin/date # getent netgroup hostgrp1 hostgrp1 (idm-qe-03.testrelm.test,-,testrelm.test) Updated sssd.con as in: # cat /etc/sssd/sssd.conf [domain/testrelm.test] ldap_sudo_search_base = ou=sudoers,dc=testrelm,dc=test ldap_sasl_realm = TESTRELM.TEST krb5_server = idm-qe-03.testrelm.test ldap_sasl_authid = host/idm-qe-03.testrelm.test ldap_sasl_mech = GSSAPI ldap_uri = ldap://idm-qe-03.testrelm.test sudo_provider = ldap cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.test id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = idm-qe-03.testrelm.test chpass_provider = ipa ipa_server = idm-qe-03.testrelm.test ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = testrelm.test [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] # rpm -q mod_ssl package mod_ssl is not installed # service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] # cat /etc/nsswitch.conf| grep sudoers sudoers: files sss # service sssd stop Stopping sssd: [ OK ] # rm -rf /var/lib/sss/db/* # service sssd start Starting sssd: [ OK ] # su - tuser2 su: warning: cannot change directory to /home/tuser2: No such file or directory -sh-4.1$ And switched to ipa user - tuser2 - promptly - with no delay. Pavel, would like to see if this verifies the bz? Confirmed with David that the steps are right. he indicated there was a race condition which was caused by using ldap provider for sudo and ipa provider for the rest. Desribed use case worked in rhel 6.5, you have to use sssd 1.11 without the patch for this bug (for example sssd-1.11.6-12.el6). Not seeing the race condition in current build - so marking verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1375.html |