Red Hat Bugzilla – Bug 1020905
Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM.
Last modified: 2014-10-14 00:46:55 EDT
Description of problem:Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured is configured in the IdM.. Version-Release number of selected component (if applicable): sssd-1.9.2-82.7.el6_4.x86_64 sssd-client-1.9.2-82.7.el6_4.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IdM and setup an AD trust. 2. Register an IdM client to the IdM server. 3. Create an system account useradd -r username groupadd -r groupname Actual results: Takes up to 10 minutes to create the group or user Expected results: Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/2123
To reproduce: On a system that is a client of IPA server that trusts an AD, run: groupadd -r testgroup The -r is important as it causes the groupadd to call getgrgid for all GIDs below 1000. The bug in sssd is that we don't inherit parent domain's min_id/max_id if set.
Fixed upstream: master: e4a731167c210a6e57e68f451361f270337b1eed sssd-1-11: 8a5b0728ed6ed5deb6ad53cd4ccb23121babfd0c
This issue only affects IPA clients in a trust setup. On the client, set min_id = 1001. Run "useradd -r username" or "groupadd -r groupname". With unpatched client, the useradd or groupadd command will take a long time as useradd/groupadd will hammer SSSD, scanning the ID space for a free ID between 1 and 1000. The patched packages should honor min_id even for subdomains and running useradd/groupadd should be fast.
* On IPA server [root@hp-ms-01-c21 ~]# ipa host-find hp-ms-01-c11 --pkey-only -------------- 1 host matched -------------- Host name: hp-ms-01-c11.testrelm.test ---------------------------- Number of entries returned 1 ---------------------------- [root@hp-ms-01-c21 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@hp-ms-01-c21 ~]# getent passwd aduser1@adtest.qe aduser1@adtest.qe:*:1148401313:1148401313:ads user:/home/adtest.qe/aduser1: * On IPA Client [root@hp-ms-01-c11 ~]# hostname hp-ms-01-c11.testrelm.test [root@hp-ms-01-c11 ~]# getent passwd aduser1@adtest.qe aduser1@adtest.qe:*:1148401313:1148401313::/home/adtest.qe/aduser1: [root@hp-ms-01-c11 ~]# time useradd -r sysuser2; time groupadd -r sysgrp2 real 0m10.926s user 0m0.095s sys 0m0.307s real 0m3.856s user 0m0.073s sys 0m0.164s * Verified in version [root@hp-ms-01-c11 ~]# rpm -q sssd sssd-client sssd-1.11.6-12.el6.x86_64 sssd-client-1.11.6-12.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1375.html