Bug 1421194
Summary: | SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | afox <afox> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Dan Lavu <dlavu> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | dominik.mierzejewski, fidencio, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.16.0-10.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-10 17:09:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1420851 |
Description
afox@redhat.com
2017-02-10 15:10:14 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3468 QE: to test this, prepare an AD forest with overlapping search bases, e.g. dc=foo,dc=bar dc=child,dc=foo,dc=bar Have POSIX attributes replicated into the Global Catalog or use ID mapping. Request an ID that doesn't exist in either domain. With the current code, SSSD would iterate over all domains. With the patched code, SSSD should run only one search against the global catalog. Please note that the behaviour should also be tested in an environment where the POSIX attributes are not replicated to the global catalog. There, sssd should behave as it did before, so just iterate over all the domains. master: * a72919af8347b5bbc65a3b1fb3e5d31447240b24 * f2a5e29f063f9d623c1336d76f4b2bc500c1a5e2 * a6eb9c4c3ff68d134bc745e8374f182737e9696b * 0a0b34f5fbe8f4a8c533a7d65f0f2961ee264054 * 2856dac5818265a6b4e42d768b73c65e333d14ff * 800b1a27543fa83bc6cd73d8e2789f3cdbaf584a * 6cd367da68ff56eb48b8b4167dbdd5e53992d194 * 07452697a67902dc6876d2f40d364cf1eadf2431 * 95fd82a4d7b50e64fed6906bc5345f271e8247d9 * 095844d6b48aef483c33e5a369a405ae686e044d * c0f9f5a0f6d71a1596ee3cef549b4b02295313c3 * ba8a92bbd59f189bd1323dd0c4010cdfc694be35 * 6ae22d9adc0b075361defc99b8f14480ba8e7b46 * dacfe74113dde62ddaaa7f9abf9d2b6448d89db6 * 8e93ebb2a6f7644c389c1d1f4e92a21c4d0b2b45 * 37fdd9dc1ad5968067f8e3c43a51ed2ac9f3b104 Verified against sssd-1.16.0-11.el7.x86_64 ==== logs output ==== (Fri Dec 15 17:17:37 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Dec 15 17:17:37 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Dec 15 17:17:37 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Dec 15 17:17:37 2017) [sssd[nss]] [nss_getby_name] (0x0400): Input name: unknown.com (Fri Dec 15 17:17:37 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #5: Setting "User by name" plugin (Fri Dec 15 17:17:37 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #5: New request 'User by name' (Fri Dec 15 17:17:37 2017) [sssd[nss]] [cache_req_process_input] (0x0400): CR #5: Parsing input name [unknown.com] (Fri Dec 15 17:17:37 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain sssdad.com is Active (Fri Dec 15 17:17:37 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain child1.sssdad.com is Active (Fri Dec 15 17:17:37 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'unknown.com' matched expression for domain 'child1.sssdad.com', user is unknown (Fri Dec 15 17:17:37 2017) [sssd[nss]] [cache_req_set_name] (0x0400): CR #5: Setting name [unknown] (Fri Dec 15 17:17:37 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #5: Performing a single domain search (Fri Dec 15 17:17:37 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain sssdad.com is Active (Fri Dec 15 17:17:37 2017) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain child1.sssdad.com is Active (Fri Dec 15 17:17:37 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #5: Search will check the cache and check the data provider (Fri Dec 15 17:17:37 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain child1.sssdad.com type POSIX is valid posix enabled searching only the global catalog id: unknown.com: no such user real 0m0.926s user 0m0.000s sys 0m0.003s id mapping enabled iterating through all the domains [root@vm-idm-013 db]# time id unknown.com id: unknown.com: no such user real 0m23.515s user 0m0.000s sys 0m0.004s Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929 |