Bug 1913086

Summary: sssd_be eats 100 % CPU
Product: Red Hat Enterprise Linux 8 Reporter: Lukas Hejtmanek <xhejtman>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED DUPLICATE QA Contact: sssd-qe <sssd-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.3CC: atikhono, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-06 10:20:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Hejtmanek 2021-01-05 22:57:59 UTC 
Description of problem:
If you have many users in /etc/passwd, sssd_be process eats 100 % CPU. 

Version-Release number of selected component (if applicable):
2.3.0-9.el8

How reproducible:


Steps to Reproduce:
1. put many users into /etc/passwd
2. start ssssd service
3. wait unitl it starts
4. touch /etc/passwd

Actual results:
sssd_be stops to work and eats 100 % CPU being restarted periodically.

Expected results:
continue to work.

Additional info:
if I delete ldb caches and start sssd again, it works until I touch passwd file again.

This is sssd.conf:

[sssd]
    services = pam
    domains = YYYY

[domain/YYYY]
    id_provider = files
    auth_provider = krb5
    krb5_realm = YYYY
    krb5_validate = true
    krb5_ccachedir = /tmp
    krb5_keytab = /etc/krb5.keytab
    krb5_server = XXXXX
    enumerate = False
Comment 1 Alexey Tikhonov 2021-01-06 10:20:44 UTC 
Hi,

thanks for the report. It is a duplicate of bz 1693379.

As a work around you can disable implicit files provider (see `man sssd.conf`: enable_files_domain option) and change order of databases in /etc/nsswitch.conf to `files sss ...` (instead of `sss files ...`)

*** This bug has been marked as a duplicate of bug 1693379 ***
Comment 2 Lukas Hejtmanek 2021-01-06 15:25:38 UTC 
Can I disable files provider if I actually need kerberos authentication for users?
Comment 3 Alexey Tikhonov 2021-01-06 15:32:56 UTC 
(In reply to Lukas Hejtmanek from comment #2)
> Can I disable files provider if I actually need kerberos authentication for
> users?

You can try to use
```
    id_provider = proxy
    proxy_lib_name = files
```
instead of 'id_provider = files' (and keeping krb5 for auth)