Bug 1302349

Summary: accounts-daemon makes sssd perform excessive LDAP queries
Product: Red Hat Enterprise Linux 7 Reporter: Jonathan Billings <jsbillin>
Component: accountsserviceAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED DUPLICATE QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: doublezane
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: accountsservice-0.6.35-10.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-21 14:48:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Billings 2016-01-27 14:53:14 UTC 
Description of problem:
Our RHEL7.2 workstations are configured to use LDAP for account information.  We provide workstations in computing labs for over ten thousand students.  We have GDM configured to not show a user list, yet when GDM starts, or when a user tries to log in, accounts-daemon asks sssd to look up information for every user who has logged into the system since the 'wtmp' file has been rotated (which is every month, by default).  This might be OK if the passwd information was local, but we have have systems that get a wide range of users and have caused enough traffic that our LDAP admins have complained.

I also see accounts-daemon performing these queries while the user is logged in, I believe when making changes to their gnome session properties.

I'm seeing the same behavior for lightdm (from EPEL) as well as SSH logins.

The only solution I can think of is to rotate the wtmp files daily.

Version-Release number of selected component (if applicable):
accountsservice-0.6.35-9.el7.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Set up SSSD to talk to an LDAP system
2. Run '/usr/libexec/accounts-daemon --debug' so you can watch the queries
3. Log into system

Actual results:
You will see output that looks like this:


(accounts-daemon:39483): DEBUG: user <USERNAME> has 1 groups
(accounts-daemon:39483): DEBUG: loaded user: <USERNAME>


for every <USERNAME> in the output of 'last'.  At least twice for every login, once when the login screen comes up, and once when the user enters their username and then switches to the password field.

Expected results:
accounts-daemon shouldn't be querying every logged-in user every time.

Additional info:
Comment 2 Ray Strode [halfline] 2016-02-09 20:24:09 UTC 
I guess one thing we could do is ignore wtmp entries that are from ssh sessions.  We also should probably avoid enumerating all users if the userlist is disabled.
Comment 3 Ray Strode [halfline] 2016-06-30 19:59:08 UTC 
This got fixed automatically as a side effect of fixing bug 1220904
Comment 4 Zane Zak 2016-10-20 21:13:47 UTC 
Nearly the exact same scenerio for the computer labs I host. 
Red Hat Enterprise 7.2.

NSLCD for user account information.
Kerberos for authentication.


Logging in graphically or via SSH causes a huge number of LDAP requests to be sent off. 

Running NSLCD in debug mode shows that the process generating all the requests is accounts-daemon

accounts-daemon seems to be reading all users from wtmp and requesting info on each one, which in turn gets handed to NSLCD, which does hundreds of queries.

The only solution that I've been able to come up with is cycling the wtmp logs daily so as to limit the number of users that accounts-daemon looks up.
Comment 5 Ray Strode [halfline] 2016-10-21 14:48:43 UTC 
Hi,

This issue should be addressed in the next synchronous update of Red Hat Enterprise Linux 7.

This is really a duplicate of bug 1220904, so I'm going to mark it as such.

*** This bug has been marked as a duplicate of bug 1220904 ***