Bug 1020905 - Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM.
Creating system accounts on a IdM client takes up to 10 minutes when AD trust...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
urgent Severity urgent
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
: Reopened, ZStream
Depends On:
Blocks: 1028046
  Show dependency treegraph
 
Reported: 2013-10-18 09:35 EDT by pgustafs
Modified: 2014-10-14 00:46 EDT (History)
10 users (show)

See Also:
Fixed In Version: sssd-1.9.2-130.el6
Doc Type: Bug Fix
Doc Text:
Cause: The sss_useradd and sss_groupadd tools scan the ID space for system accounts as configured by /etc/login.defs rather aggresivelly, looking for an unused ID. At the same time, the subdomain code didn't honor the min_id/max_id settings, so even setting a high min_id didn't help. Consequence: Adding a system account using the sss_useradd or sss_groupadd tools took very long time as sssd was being hammered with getpwuid()/getgrgid() requests. Fix: The subdomain code was fixed to honor the min_id/max_id configuration options. Result: If the sssd is properly configure with min_id options, scanning the ID space is rather fast. At the same time, future versions of shadow-utils will scan the ID space more efieciently.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 00:46:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description pgustafs 2013-10-18 09:35:12 EDT
Description of problem:Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured is configured in the IdM..


Version-Release number of selected component (if applicable):
sssd-1.9.2-82.7.el6_4.x86_64
sssd-client-1.9.2-82.7.el6_4.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IdM and setup an AD trust.
2. Register an IdM client to the IdM server.
3. Create an system account
useradd -r username
groupadd -r groupname

Actual results:
Takes up to 10 minutes to create the group or user


Expected results:


Additional info:
Comment 2 Jakub Hrozek 2013-10-18 09:54:45 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2123
Comment 3 Jakub Hrozek 2013-10-18 09:56:57 EDT
To reproduce: On a system that is a client of IPA server that trusts an AD, run:

groupadd -r testgroup

The -r is important as it causes the groupadd to call getgrgid for all GIDs below 1000. The bug in sssd is that we don't inherit parent domain's min_id/max_id if set.
Comment 8 Jakub Hrozek 2013-10-24 10:16:59 EDT
Fixed upstream:
    master: e4a731167c210a6e57e68f451361f270337b1eed
    sssd-1-11: 8a5b0728ed6ed5deb6ad53cd4ccb23121babfd0c
Comment 13 Jakub Hrozek 2013-11-06 12:35:33 EST
This issue only affects IPA clients in a trust setup.

On the client, set min_id = 1001. Run "useradd -r username" or "groupadd -r groupname".

With unpatched client, the useradd or groupadd command will take a long time as useradd/groupadd will hammer SSSD, scanning the ID space for a free ID between 1 and 1000.

The patched packages should honor min_id even for subdomains and running useradd/groupadd should be fast.
Comment 18 Steeve Goveas 2014-07-30 07:37:03 EDT
* On IPA server

[root@hp-ms-01-c21 ~]# ipa host-find hp-ms-01-c11 --pkey-only
--------------
1 host matched
--------------
  Host name: hp-ms-01-c11.testrelm.test
----------------------------
Number of entries returned 1
----------------------------

[root@hp-ms-01-c21 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
                          S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
                          S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@hp-ms-01-c21 ~]# getent passwd aduser1@adtest.qe
aduser1@adtest.qe:*:1148401313:1148401313:ads user:/home/adtest.qe/aduser1:

* On IPA Client

[root@hp-ms-01-c11 ~]# hostname
hp-ms-01-c11.testrelm.test

[root@hp-ms-01-c11 ~]# getent passwd aduser1@adtest.qe
aduser1@adtest.qe:*:1148401313:1148401313::/home/adtest.qe/aduser1:

[root@hp-ms-01-c11 ~]# time useradd -r sysuser2; time groupadd -r sysgrp2

real	0m10.926s
user	0m0.095s
sys	0m0.307s

real	0m3.856s
user	0m0.073s
sys	0m0.164s

* Verified in version
[root@hp-ms-01-c11 ~]# rpm -q sssd sssd-client
sssd-1.11.6-12.el6.x86_64
sssd-client-1.11.6-12.el6.x86_64
Comment 19 errata-xmlrpc 2014-10-14 00:46:55 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html

Note You need to log in before you can comment on or make changes to this bug.