Bug 1103249 - PAC responder needs much time to process large group lists
Summary: PAC responder needs much time to process large group lists
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
URL:
Whiteboard:
Keywords:
: 1205926 (view as bug list)
Depends On:
Blocks: 1172231 1205926
TreeView+ depends on / blocked
 
Reported: 2014-05-30 14:25 UTC by Jakub Hrozek
Modified: 2019-07-11 08:51 UTC (History)
13 users (show)

(edit)
Under certain circumstances, the algorithm in the Privilege Attribute Certificate (PAC) responder component of the System Security Services Daemon (SSSD) does not effectively handle users who are members of a large number of groups. As a consequence, logging from Windows clients to Red Hat Enterprise Linux clients with Kerberos single sign-on (SSO) can be noticeably slow. There is currently no known workaround available.
Clone Of:
(edit)
Last Closed: 2016-11-04 07:10:37 UTC


Attachments (Terms of Use)
console output (17.46 KB, text/plain)
2016-09-22 13:53 UTC, Varun Mylaraiah
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2476 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-11-03 14:08:11 UTC

Description Jakub Hrozek 2014-05-30 14:25:02 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2158

For example, when AD user is part of 500 groups

Comment 4 Jakub Hrozek 2016-02-22 21:19:00 UTC
*** Bug 1205926 has been marked as a duplicate of this bug. ***

Comment 5 Jakub Hrozek 2016-04-13 09:15:33 UTC
* d0d7de66c9494621c1bc12384e41e5e38a77fbeb
* c371993cce13edb9185a5f0db76fbee03f0edc04
* 1df6751f81f7d9c225463f76b9789b0cc7a0de8b
* aa0f39c7c09a55efc8d2282ca56e0e93e220aeba
* 63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4
* 28f336bdb32db0b89cb98174a3f8e308e4e928db
* 7cf0f78d832c7a09b59ee9f91cedc427c0253cd4
* cce3e8526176ce2fe9baa5bda1bb457b996b7bcf

Comment 7 Jatin Nansi 2016-08-12 03:12:34 UTC
Hello Jakub,

We have a customer running RHEL-7.2 who might benefit from this fix, can we get a test package incorporating this fix?

Thank you,
Jatin

Comment 10 Varun Mylaraiah 2016-09-22 13:52:09 UTC
Verified
ipa-client-4.4.0-7.el7.x86_64
sssd-1.14.0-15.el7.x86_64

Now response is much faster to process large group lists compare to 7.2(sssd-1.13.0-40.el7.x86_64) 
Please find the attached file which contains console output.

######## On 7.3 Client ###########

# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@host128 ~]# date; ssh -l aduser99@adtest2.qe master72.testrelm.test
Thu Sep 22 19:10:14 IST 2016
Password: 
Last login: Thu Sep 22 19:05:13 2016 from dhcp35-128.lab.eng.blr.redhat.com
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@host128 ~]# date
Thu Sep 22 19:10:31 IST 2016

[root@host128 ~]# rpm -qa ipa-client sssd
ipa-client-4.4.0-7.el7.x86_64
sssd-1.14.0-15.el7.x86_64


######## On 7.2 Client ###########
root@client72 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@client72 ~]# date
Thu Sep 22 09:08:34 EDT 2016

[root@client72 ~]# ssh -l aduser99@adtest2.qe master72.testrelm.test
Password: 
Last login: Thu Sep 22 16:55:47 2016 from auto-hv-01-guest06.idmqe.lab.eng.bos.redhat.com
-sh-4.2$ 
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@client72 ~]# date
Thu Sep 22 09:11:00 EDT 2016

[root@client72 ~]# rpm -qa ipa-client sssd
ipa-client-4.2.0-15.el7.x86_64
sssd-1.13.0-40.el7.x86_64

Comment 11 Varun Mylaraiah 2016-09-22 13:53 UTC
Created attachment 1203769 [details]
console output

Comment 13 errata-xmlrpc 2016-11-04 07:10:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html


Note You need to log in before you can comment on or make changes to this bug.