1020905 – Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1020905 - Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM.

Summary: Creating system accounts on a IdM client takes up to 10 minutes when AD trust...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1028046
TreeView+	depends on / blocked

Reported:	2013-10-18 13:35 UTC by pgustafs
Modified:	2020-05-02 17:30 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-1.9.2-130.el6
Doc Type:	Bug Fix
Doc Text:	Cause: The sss_useradd and sss_groupadd tools scan the ID space for system accounts as configured by /etc/login.defs rather aggresivelly, looking for an unused ID. At the same time, the subdomain code didn't honor the min_id/max_id settings, so even setting a high min_id didn't help. Consequence: Adding a system account using the sss_useradd or sss_groupadd tools took very long time as sssd was being hammered with getpwuid()/getgrgid() requests. Fix: The subdomain code was fixed to honor the min_id/max_id configuration options. Result: If the sssd is properly configure with min_id options, scanning the ID space is rather fast. At the same time, future versions of shadow-utils will scan the ID space more efieciently.
Clone Of:
Environment:
Last Closed:	2014-10-14 04:46:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3165	0	None	None	None	2020-05-02 17:30:00 UTC
Red Hat Product Errata	RHBA-2014:1375	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2014-10-14 01:06:25 UTC

Description pgustafs 2013-10-18 13:35:12 UTC

Description of problem:Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured is configured in the IdM..


Version-Release number of selected component (if applicable):
sssd-1.9.2-82.7.el6_4.x86_64
sssd-client-1.9.2-82.7.el6_4.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IdM and setup an AD trust.
2. Register an IdM client to the IdM server.
3. Create an system account
useradd -r username
groupadd -r groupname

Actual results:
Takes up to 10 minutes to create the group or user


Expected results:


Additional info:

Comment 2 Jakub Hrozek 2013-10-18 13:54:45 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2123

Comment 3 Jakub Hrozek 2013-10-18 13:56:57 UTC

To reproduce: On a system that is a client of IPA server that trusts an AD, run:

groupadd -r testgroup

The -r is important as it causes the groupadd to call getgrgid for all GIDs below 1000. The bug in sssd is that we don't inherit parent domain's min_id/max_id if set.

Comment 8 Jakub Hrozek 2013-10-24 14:16:59 UTC

Fixed upstream:
    master: e4a731167c210a6e57e68f451361f270337b1eed
    sssd-1-11: 8a5b0728ed6ed5deb6ad53cd4ccb23121babfd0c

Comment 13 Jakub Hrozek 2013-11-06 17:35:33 UTC

This issue only affects IPA clients in a trust setup.

On the client, set min_id = 1001. Run "useradd -r username" or "groupadd -r groupname".

With unpatched client, the useradd or groupadd command will take a long time as useradd/groupadd will hammer SSSD, scanning the ID space for a free ID between 1 and 1000.

The patched packages should honor min_id even for subdomains and running useradd/groupadd should be fast.

Comment 18 Steeve Goveas 2014-07-30 11:37:03 UTC

* On IPA server

[root@hp-ms-01-c21 ~]# ipa host-find hp-ms-01-c11 --pkey-only
--------------
1 host matched
--------------
  Host name: hp-ms-01-c11.testrelm.test
----------------------------
Number of entries returned 1
----------------------------

[root@hp-ms-01-c21 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
                          S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
                          S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@hp-ms-01-c21 ~]# getent passwd aduser1
aduser1:*:1148401313:1148401313:ads user:/home/adtest.qe/aduser1:

* On IPA Client

[root@hp-ms-01-c11 ~]# hostname
hp-ms-01-c11.testrelm.test

[root@hp-ms-01-c11 ~]# getent passwd aduser1
aduser1:*:1148401313:1148401313::/home/adtest.qe/aduser1:

[root@hp-ms-01-c11 ~]# time useradd -r sysuser2; time groupadd -r sysgrp2

real	0m10.926s
user	0m0.095s
sys	0m0.307s

real	0m3.856s
user	0m0.073s
sys	0m0.164s

* Verified in version
[root@hp-ms-01-c11 ~]# rpm -q sssd sssd-client
sssd-1.11.6-12.el6.x86_64
sssd-client-1.11.6-12.el6.x86_64

Comment 19 errata-xmlrpc 2014-10-14 04:46:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html

Note You need to log in before you can comment on or make changes to this bug.