Bug 1672527

Summary: sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Niranjan Mallapadi Raghavender <mniranja>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: barry.snyder, dwysocha, grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, plambri, rharwood, robin.edser, sbose, sgoveas, tscherf
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1683578 (view as bug list) Environment:
Last Closed: 2019-08-06 13:02:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1683578    

Description Thorsten Scherf 2019-02-05 09:27:36 UTC 
Description of problem:
In RHEL-7.6 mounting a CIFS share takes a long time (54s) to complete. The same mount completes on a RHEL-7.5 system within 3s.

The machine uses SSSD and 'krb5' as 'auth' and 'chpass' provider.  The /etc/krb5.conf contains a list of AD domain controllers.

It turns out that cifs.upcall interferes with the 'kdcinfo' file from the SSSD locator plugin. When this file is in place and 'krb5_use_kdcinfo' is set to 'true' in sssd.conf (which is the default), we see unwanted krb5 kpasswd packets going to the AD DC stored in the 'kdcinfo' file. Removing 'kdcinfo' or setting 'krb5_use_kdcinfo' to 'false' resolves the issue.

Version-Release number of selected component (if applicable):
sssd-1.16.0-19.el7_5.8.x86_64

How reproducible:
Always 

Steps to Reproduce:
1. Configure a RHEL-7.6 machine as AD client using SSSD with 'ldap' as identity provider and 'krb5' as 'auth' and 'chpass' provider
2. Make sure /var/lib/sss/pubconf/kdcinfo.* exists and contains one of the AD DC IP's
3. Mount an AD CIFS share using an AD account with krb5 security options 

Actual results:
It takes very long for the mount to complete.

Expected results:
Mount completes immediately.

Additional info:
Comment 15 Barry Snyder 2019-02-15 14:34:12 UTC 
In our environment with mount delays and the krb5_use_kdcinfo option...

We experience, as of RHEL 7.6, NFSv4 mount delays of 45 seconds when using sec=sys and 90 seconds when using sec=krb5 to a NetApp NFS server if there isn't already a mount to the server. Doesn't appear to experience the delay automounting homedir directly after a reboot though. But if a umount is performed on said homedir and attempt to remount triggers 45/90 sec mount delay. Always reproducible.

Disabling gssproxy in nfs config is one workaround. Setting 'krb5_use_kdcinfo' to 'false' while keeping gssproxy enabled is another.

Our SSSD config is 'ad' for id_provider and chpass_provider, 'krb5' for auth_provider.
Comment 16 Sumit Bose 2019-02-15 14:54:11 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3958
Comment 23 Jakub Hrozek 2019-02-26 22:06:14 UTC 
* master: 05350ab
* sssd-1-16: 1791eed
Comment 28 errata-xmlrpc 2019-08-06 13:02:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2177