1074314 – Excessive LDAP calls by ipa-sam during file operations to samba file share on freeipa master cause high CPU and slow performance

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1074314 - Excessive LDAP calls by ipa-sam during file operations to samba file share on freeipa master cause high CPU and slow performance

Summary: Excessive LDAP calls by ipa-sam during file operations to samba file share on...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1075132
TreeView+	depends on / blocked

Reported:	2014-03-09 17:30 UTC by Jason Woods
Modified:	2014-07-25 18:08 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-3.0.0-41.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1075132 (view as bug list)
Environment:
Last Closed:	2014-07-25 18:08:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Proposed patch (8.08 KB, application/mbox) 2014-03-09 17:30 UTC, Jason Woods	no flags	Details
patch to fix case comparison and add extra check (1.30 KB, patch) 2014-03-19 20:33 UTC, Jason Woods	abokovoy: review-	Details \| Diff
Show Obsolete (1) View All

Description Jason Woods 2014-03-09 17:30:16 UTC

Created attachment 872438 [details]
Proposed patch

Description of problem:
When performing bulk file operations on a file share on the local samba instance of a FreeIPA master server which has ipa-server-trust-ad installed and configured, ns-slapd consumes excessive amounts of CPU, and the operations are very slow.

This is due to excessive LDAP calls by ipa-sam because it makes no use of the idmap cache routines within Samba, so for every file operation there are ldap queries for the user and for each user group - thus the more groups the more CPU usage and the slower the performance of the share.

I have proposed a patch - please review and feedback is good

The patch will:

1. (Small change) Mirror ldapsam behaviour by caching all gid<->sid and uid<->sid mappings

2. (Big change - please review) When performing a gid->sid lookup for a user primary group - the ldap search will fail as it does not have ipntgroupattr or ipntsecurityidentifier - I've adjusted code so it can also return the user with the same uid as the requested gid. If the gid is not found but an identical id is, the fallback group SID is returned. Please bear in the mind that during initial logon - the primary group gid is in fact mapped to the fallback group and cached - this big change just ensures that once that cache expires and the lookup is requested, it can be repopulated the same

3. (Medium change - please review) From what I've researched, the uidNumber=0 will never exist in the directory service because the root user will never exist in the directory service. So querying LDAP for uidNumber=0 is fruitless and will always fail to find anything. To that end, when a request for uid=0 is received on the uid->sid lookup, the ldap search is skipped completely and the function returns as if not found.

The patch greatly improved performance for me. Reducing CPU of ns-slapd to 0 due to caching, and improving performance of multi-file copies significantly (days to hours)

Version-Release number of selected component (if applicable):
3.0.0-37
Also master branch has issue since same code nearly

How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server-trust-ad and run ipa-adtrust-install --setsids, and then register to run the sidgen task.
After that, create a share with "net conf setparm" with:

[Share]
path = /data
read only = no

2. Connect to the share with a user from the IPA domain.
3. Begin copying a large amount of files, such as a GIT repository, and examine the IPA server CPU usage by ns-slapd.
4. Run "net conf setparm global 'log level' 10" and examine log.workstation for lines containing "ldap_search" - there are many.

Actual results:
Extremely slow performance and excessive CPU usage

Expected results:
Regular samba file share performance (its never great) and low CPU usage, very low CPU usage

Additional info:
Patches attached - I apologise but I don't have the logs anymore :X I overwrote with new ones that are fine

Comment 2 Alexander Bokovoy 2014-03-09 20:02:06 UTC

Few comments:

1. You don't need to manipulate 'struct unixid' directly, we have unixid_from_*() for that.

2. However, we have to know 'struct unixid' to allocate it because not all methods where we need it get 'struct unixid *' passed from Samba side. This means librpm/gen_ndr/idmap.h needs to be packaged by samba package instead of copy-pasting generated header.

3. source3/lib/idmap_cache.h is a different story since it is internal code available within smbd and winbindd binaries (not libsmbconf as you mention). This interface is actually required for implementing external PASSDB modules so I need to check what could be done here.

Finally, calling idmap_cache_*() seem to be correct as ldapsam module does it too. We rely on SSSD idmap cache priming but it is obviously not enough for cases like file copying.

Andreas, do you think we can package idmap_cache.h and idmap.h in next samba4 package release?

Comment 3 Jason Woods 2014-03-09 20:51:12 UTC

Hi Alexander,

Thanks for the comments.

I just wonder on 3 though, as when I do readelf on libsmbconf.so.0 I get the following (this is with ipa-3.0.0-37 on RHEL 6.5)

[root@server lib64]# readelf -a libsmbconf.so.0 | grep -E idmap_cache_set_\|escape_ldap_string
000000273838  046700000007 R_X86_64_JUMP_SLO 000000000003eaa0 idmap_cache_set_sid2un + 0
  1059: 000000000003d770   316 FUNC    GLOBAL DEFAULT   12 escape_ldap_string@@SMBCONF_0
  1127: 000000000003eaa0   669 FUNC    GLOBAL DEFAULT   12 idmap_cache_set_sid2unixi@@SMBCONF_0
  1199: 000000000003f600    76 FUNC    GLOBAL DEFAULT   12 idmap_cache_set_sid2gid@@SMBCONF_0
  1463: 000000000003f560    76 FUNC    GLOBAL DEFAULT   12 idmap_cache_set_sid2uid@@SMBCONF_0

Then again - I could be misreading this information - but with the ipa-sam.so compiling successfully and it also loading successfully into smbd I did think it was fine like with the other prototype declarations.

I'll leave it your capable hands though.

Comment 4 Alexander Bokovoy 2014-03-09 22:55:06 UTC

Samba has complex linking structure, with some libraries duplicating symbols because they are used in different environments. source3/lib/idmap_cache.c ends up in libsmbconf due to unfortunate dependency through 'param' subsystem which pulls in 'samba3core' subsystem. Since neither 'samba3core' nor 'param' are real libraries (rather grouping tools for object files), libsmbconf becomes first one to actually hold the symbols and others (libidmap from winbindd) link to it.

These dependencies need to be cleaned as well.

Comment 5 Martin Kosek 2014-03-12 11:33:32 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4241

Comment 6 Martin Kosek 2014-03-12 11:36:11 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d6a7923f71eb69bac53d6ff904086a9abd103dbc
ipa-3-3:
https://fedorahosted.org/freeipa/changeset/13cd4faf551d7781d27c36bef0e7cbf515e072d2

Comment 7 Petr Viktorin (pviktori) 2014-03-12 12:15:51 UTC

Also clearing NEEDINFO based on a conversation with Alexander.

[2014-03-12 12:26:14] <ab> pviktori: I put it in needinfo but we can clear it now
[2014-03-12 12:26:24] <ab> pviktori: we had discussion on samba meeting on Monday about that

Comment 8 Jason Woods 2014-03-19 20:33:11 UTC

Hi Guys,

I have located a bug in the patch. Line 965 I used strncmp instead of strncasecmp for matching ipNTGroupAttrs. This meant that in some cases it failed to lookup the group if it was stored as ipntgroupattrs.

For me, the issue became apparent once I had added more groups, and noticed that I could not access some of the shares for those new groups. Some of the new groups were getting mapped to the fallback primary group SID.

I have attached a second patch which, when applied after the first, fixes the strncmp to be strncasecmp so it matches properly. I also added a check that it is actually meant to be fallback primary group before assigning fallback primary group.

Apologies for this.

Regards,

Jason

Comment 9 Jason Woods 2014-03-19 20:33:53 UTC

Created attachment 876620 [details]
patch to fix case comparison and add extra check

Comment 10 Jason Woods 2014-03-19 20:36:43 UTC

Nevermind I see in the upstream patch you already sorted that out - sorry only just noticed :o)

Comment 11 Alexander Bokovoy 2014-03-19 20:39:37 UTC

Comment on attachment 876620 [details]
patch to fix case comparison and add extra check

Yes, I've fixed this fragment in the original patch that went upstream. Retiring this proposed patch.

Comment 12 Martin Kosek 2014-03-20 07:42:25 UTC

By the way, Jason - thanks for being vigilant :)

Comment 14 Scott Poore 2014-07-17 22:23:39 UTC

First Reproducing on RHEL6.5:

[root@rhel6-3 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
[root@rhel6-3 ~]# kdestroy -A ; echo Secret123 | kinit admin
Password for admin: 
[root@rhel6-3 ~]# ipa user-del bz1075132
------------------------
Deleted user "bz1075132"
------------------------
[root@rhel6-3 ~]# ipa user-add bz1075132 --first=f --last=l
----------------------
Added user "bz1075132"
----------------------
  User login: bz1075132
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/bz1075132
  GECOS field: f l
  Login shell: /bin/sh
  Kerberos principal: bz1075132
  Email address: bz1075132
  UID: 485600005
  GID: 485600005
  Password: False
  Kerberos keys available: False
[root@rhel6-3 ~]# echo -e 'redhat\nredhat' |ipa passwd bz1075132
----------------------------------------------
Changed password for "bz1075132"
----------------------------------------------
[root@rhel6-3 ~]# sleep 1
[root@rhel6-3 ~]# echo -e 'redhat\nSecret123\nSecret123'|kinit bz1075132
Password for bz1075132: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@rhel6-3 ~]# BZUID=$(getent passwd bz1075132|cut -f3 -d:)
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# 
[root@rhel6-3 ~]# rm -rf /tmp/source
[root@rhel6-3 ~]# mkdir /tmp/source
[root@rhel6-3 ~]# cd /tmp/source
[root@rhel6-3 source]# cd /usr/bin
[root@rhel6-3 bin]# find . ! -type l -exec cp {} /tmp/source \;
cp: omitting directory `.'
[root@rhel6-3 bin]# chown -R bz1075132:bz1075132 /tmp/source
[root@rhel6-3 bin]# rm -rf /tmp/target
[root@rhel6-3 bin]# mkdir /tmp/target
[root@rhel6-3 bin]# chcon -t samba_share_t /tmp/target
[root@rhel6-3 bin]# chown bz1075132:bz1075132 /tmp/target
[root@rhel6-3 bin]# net conf delshare 'share'
[root@rhel6-3 bin]# net conf setparm 'share' 'comment' 'Trust test share'
[root@rhel6-3 bin]# net conf setparm 'share' 'read only' 'no'
[root@rhel6-3 bin]# net conf setparm 'share' 'path' '/tmp/target'
[root@rhel6-3 bin]# I1=$(hostname -d|sed 's/\./-/g')
[root@rhel6-3 bin]# INSTANCE=${I1^^}
[root@rhel6-3 bin]# net cache flush
[root@rhel6-3 bin]# net conf setparm global 'log level' 10
[root@rhel6-3 bin]# for i in /var/log/dirsrv/slapd-$INSTANCE/access /var/log/samba/log.*; do > $i; done
[root@rhel6-3 bin]# cd /tmp/source
[root@rhel6-3 source]# echo 'Secret123'|kinit bz1075132
Password for bz1075132: 
[root@rhel6-3 source]# echo -e 'recurse\nprompt n\nmput *'| smbclient -k //$(hostname)/share > /dev/null 2>&1
sleep 30
FILECOUNT=$(find /tmp/target|wc -l)
FILECOUNT=$(( FILECOUNT += 10 ))
LOGCOUNT1=$(grep ldap_search.*$BZUID /var/log/samba/* 2>/dev/null | wc -l)
LOGCOUNT2=$(grep SRCH.*$BZUID /var/log/dirsrv/slapd-*/access 2>/dev/null | wc -l)

echo "FILECOUNT SAMBALOG DSLOG"
echo "$FILECOUNT $LOGCOUNT1 $LOGCOUNT2"

if [ $LOGCOUNT1 -gt $FILECOUNT ]; then
    echo FAIL
else
    echo PASS
fi
[root@rhel6-3 source]# 
[root@rhel6-3 source]# sleep 30
[root@rhel6-3 source]# FILECOUNT=$(find /tmp/target|wc -l)
[root@rhel6-3 source]# FILECOUNT=$(( FILECOUNT += 10 ))
[root@rhel6-3 source]# LOGCOUNT1=$(grep ldap_search.*$BZUID /var/log/samba/* 2>/dev/null | wc -l)
[root@rhel6-3 source]# LOGCOUNT2=$(grep SRCH.*$BZUID /var/log/dirsrv/slapd-*/access 2>/dev/null | wc -l)
[root@rhel6-3 source]# 
[root@rhel6-3 source]# echo "FILECOUNT SAMBALOG DSLOG"
FILECOUNT SAMBALOG DSLOG
[root@rhel6-3 source]# echo "$FILECOUNT $LOGCOUNT1 $LOGCOUNT2"
1062 2104 2104
[root@rhel6-3 source]# 
[root@rhel6-3 source]# if [ $LOGCOUNT1 -gt $FILECOUNT ]; then
>     echo FAIL
> else
>     echo PASS
> fi
FAIL

[root@rhel6-3 source]# rpm -q ipa-server
ipa-server-3.0.0-37.el6.x86_64

Comment 15 Scott Poore 2014-07-17 22:26:45 UTC

Verified.

Version ::

ipa-server-3.0.0-42.el6.x86_64

Results ::

[root@rhel6-1 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

[root@rhel6-1 ~]# kdestroy -A ; echo Secret123 | kinit admin
Password for admin: 

[root@rhel6-1 ~]# ipa user-del bz1075132
ipa: ERROR: bz1075132: user not found

[root@rhel6-1 ~]# ipa user-add bz1075132 --first=f --last=l
----------------------
Added user "bz1075132"
----------------------
  User login: bz1075132
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/bz1075132
  GECOS field: f l
  Login shell: /bin/sh
  Kerberos principal: bz1075132
  Email address: bz1075132
  UID: 829000007
  GID: 829000007
  Password: False
  Kerberos keys available: False

[root@rhel6-1 ~]# echo -e 'redhat\nredhat' |ipa passwd bz1075132
--------------------------------------------
Changed password for "bz1075132"
--------------------------------------------

[root@rhel6-1 ~]# echo -e 'redhat\nSecret123\nSecret123'|kinit bz1075132
Password for bz1075132: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel6-1 ~]# 
[root@rhel6-1 ~]# 
[root@rhel6-1 ~]# 

[root@rhel6-1 ~]# BZUID=$(getent passwd bz1075132|cut -f3 -d:)

[root@rhel6-1 ~]# echo $BZUID
829000007

[root@rhel6-1 ~]# 
[root@rhel6-1 ~]# 

[root@rhel6-1 ~]# rm -rf /tmp/source

[root@rhel6-1 ~]# mkdir /tmp/source

[root@rhel6-1 ~]# cd /tmp/source

[root@rhel6-1 source]# cd /usr/bin

[root@rhel6-1 bin]# find . ! -type l -exec cp {} /tmp/source \;
cp: omitting directory `.'

[root@rhel6-1 bin]# chown -R bz1075132:bz1075132 /tmp/source

[root@rhel6-1 bin]# 
[root@rhel6-1 bin]# 
[root@rhel6-1 bin]# 

[root@rhel6-1 bin]# rm -rf /tmp/target

[root@rhel6-1 bin]# mkdir /tmp/target

[root@rhel6-1 bin]# chcon -t samba_share_t /tmp/target

[root@rhel6-1 bin]# chown bz1075132:bz1075132 /tmp/target

[root@rhel6-1 bin]# 
[root@rhel6-1 bin]# 

[root@rhel6-1 bin]# net conf delshare 'share'
Error deleting share share: SBC_ERR_NO_SUCH_SERVICE

[root@rhel6-1 bin]# net conf setparm 'share' 'comment' 'Trust test share'

[root@rhel6-1 bin]# net conf setparm 'share' 'read only' 'no'

[root@rhel6-1 bin]# net conf setparm 'share' 'path' '/tmp/target'

[root@rhel6-1 bin]# I1=$(hostname -d|sed 's/\./-/g')

[root@rhel6-1 bin]# INSTANCE=${I1^^}

[root@rhel6-1 bin]# net cache flush

[root@rhel6-1 bin]# net conf setparm global 'log level' 10

[root@rhel6-1 bin]# for i in /var/log/dirsrv/slapd-$INSTANCE/access /var/log/samba/log.*; do > $i; done

[root@rhel6-1 bin]# cd /tmp/source

[root@rhel6-1 source]# echo 'Secret123'|kinit bz1075132
Password for bz1075132: 

[root@rhel6-1 source]# echo -e 'recurse\nprompt n\nmput *'| smbclient -k //$(hostname)/share > /dev/null 2>&1

[root@rhel6-1 source]# sleep 30

[root@rhel6-1 source]# FILECOUNT=$(find /tmp/target|wc -l)

[root@rhel6-1 source]# FILECOUNT=$(( FILECOUNT += 10 ))

[root@rhel6-1 source]# LOGCOUNT1=$(grep ldap_search.*$BZUID /var/log/samba/* 2>/dev/null | wc -l)

[root@rhel6-1 source]# LOGCOUNT2=$(grep SRCH.*$BZUID /var/log/dirsrv/slapd-*/access 2>/dev/null | wc -l)

[root@rhel6-1 source]# echo "FILECOUNT SAMBALOG DSLOG"
FILECOUNT SAMBALOG DSLOG

[root@rhel6-1 source]# echo "$FILECOUNT $LOGCOUNT1 $LOGCOUNT2"
11 0 0

[root@rhel6-1 source]# if [ $LOGCOUNT1 -gt $FILECOUNT ]; then
>     echo FAIL
> else
>     echo PASS
> fi
PASS

Note You need to log in before you can comment on or make changes to this bug.