Bug 694905

Summary: Login time increases strongly while authenticating against a user from second domain.
Product: Red Hat Enterprise Linux 7 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Madhuri <mupadhye>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: dpal, grajaiya, jhrozek, kbanerje, prc, sgoveas
Target Milestone: rc   
Target Release: 7.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.15.2-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 08:58:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gowrishankar Rajaiyan 2011-04-08 19:44:32 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.5.1-24.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure SSSD for multiple domain. (see additional info for sssd.conf)
2. Try to authenticate as a user from domain2.
3. Observe the time for successful authentication.
  
Actual results:
Takes approx. 30 seconds. 

Replace "domains = domain1,domain2" to "domains = domain2,domain1" and try authentication. Now it takes ~9 seconds.

Expected results:
Login time should not increase strongly.

Additional info:

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = domain1,domain2
debug_level = 9

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 9

[pam]
reconnection_retries = 3
debug_level = 9

[domain/domain1]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://sssdldap.redhat.com:636
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
cache_credentials = true
enumerate =  false
debug_level = 9

[domain/domain2]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://shanksldap.redhat.com:636
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/shanks/cacert.asc
cache_credentials = true
enumerate = false 
debug_level = 9
min_id = 59990
max_id = 59999
Comment 1 Gowrishankar Rajaiyan 2011-04-08 19:45:30 UTC 
Upstream ticket https://fedorahosted.org/sssd/ticket/843
Comment 9 Madhuri 2017-06-02 09:33:47 UTC 
Tested with:
sssd-1.15.2-37.el7.x86_64

Steps followed during verification:
1) Configure SSSd for Multiple domain.

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = domain1,domain2
debug_level = 9

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 9

[pam]
reconnection_retries = 3
debug_level = 9

[domain/domain1]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://firstserver.example.com:636
ldap_search_base = dc=redhat,dc=org
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_cacert = /etc/openldap/certs/cacert1.pem
cache_credentials = true
enumerate =  false
debug_level = 9

[domain/domain2]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://secondserver.example.com:636
ldap_search_base = dc=redhat,dc=org
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_cacert = /etc/openldap/certs/cacert2.pem
cache_credentials = true
enumerate = false 
debug_level = 9


2) Add user in both domain.
    test_first added in domain1
    test_scond added in domain2

3) Check the user lookup.

# id test_first@domain1
uid=10022(test_first) gid=10022 groups=10022

# id test_second@domain2
uid=10025(test_second) gid=10025 groups=10025

4) Check time for successful login.

i) when domain = domain1, domain2 in sssd.conf
# cat /etc/sssd/sssd.conf | grep domain
domains = domain1,domain2

# time ./login_time.sh test_first@domain1 Secret123
spawn ssh -q -l test_first@domain1 localhost echo 'login successful'
test_first@domain1@localhost's password: 
/usr/bin/id: cannot find name for group ID 10022
login successful

real    0m0.538s
user    0m0.001s
sys    0m0.006s

# time ./login_time.sh test_second@domain2 Secret123
spawn ssh -q -l test_second@domain2 localhost echo 'login successful'
test_second@domain2@localhost's password: 
/usr/bin/id: cannot find name for group ID 10025
login successful

real    0m0.560s
user    0m0.002s
sys    0m0.008s

5) Clear sssd cache and start the sssd again
# service sssd stop; rm -rf /var/lib/sss/db/*; rm -rf /var/log/sssd/*; service sssd start

6) when domain = domain2, domain1 in sssd.conf
# cat /etc/sssd/sssd.conf | grep domain
domains = domain2,domain1

# time ./login_time.sh test_first@domain1 Secret123
spawn ssh -q -l test_first@domain1 localhost echo 'login successful'
test_first@domain1@localhost's password: 
/usr/bin/id: cannot find name for group ID 10022
login successful

real    0m0.588s
user    0m0.003s
sys    0m0.005s

# time ./login_time.sh test_second@domain2 Secret123
spawn ssh -q -l test_second@domain2 localhost echo 'login successful'
test_second@domain2@localhost's password: 
/usr/bin/id: cannot find name for group ID 10025
login successful

real    0m0.524s
user    0m0.002s
sys    0m0.008s
Comment 10 errata-xmlrpc 2017-08-01 08:58:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294