Bug 1103249 – PAC responder needs much time to process large group lists

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1103249 - PAC responder needs much time to process large group lists

Summary:	PAC responder needs much time to process large group lists

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	SSSD Maintainers
QA Contact:	Steeve Goveas
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	1205926 (view as bug list)
Depends On:
Blocks:	1172231 1205926
	Show dependency tree / graph

Reported:	2014-05-30 10:25 EDT by Jakub Hrozek
Modified:	2016-11-04 03:10 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	sssd-1.14.0-0.2.beta1.el7
Doc Type:	Bug Fix
Doc Text:	Under certain circumstances, the algorithm in the Privilege Attribute Certificate (PAC) responder component of the System Security Services Daemon (SSSD) does not effectively handle users who are members of a large number of groups. As a consequence, logging from Windows clients to Red Hat Enterprise Linux clients with Kerberos single sign-on (SSO) can be noticeably slow. There is currently no known workaround available.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-11-04 03:10:37 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
console output (17.46 KB, text/plain) 2016-09-22 09:53 EDT, Varun Mylaraiah	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:2476	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2016-11-03 10:08:11 EDT

Groups: None (edit)

Description Jakub Hrozek 2014-05-30 10:25:02 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2158

For example, when AD user is part of 500 groups

Comment 4 Jakub Hrozek 2016-02-22 16:19:00 EST

*** Bug 1205926 has been marked as a duplicate of this bug. ***

Comment 5 Jakub Hrozek 2016-04-13 05:15:33 EDT

* d0d7de66c9494621c1bc12384e41e5e38a77fbeb
* c371993cce13edb9185a5f0db76fbee03f0edc04
* 1df6751f81f7d9c225463f76b9789b0cc7a0de8b
* aa0f39c7c09a55efc8d2282ca56e0e93e220aeba
* 63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4
* 28f336bdb32db0b89cb98174a3f8e308e4e928db
* 7cf0f78d832c7a09b59ee9f91cedc427c0253cd4
* cce3e8526176ce2fe9baa5bda1bb457b996b7bcf

Comment 7 Jatin Nansi 2016-08-11 23:12:34 EDT

Hello Jakub,

We have a customer running RHEL-7.2 who might benefit from this fix, can we get a test package incorporating this fix?

Thank you,
Jatin

Comment 10 Varun Mylaraiah 2016-09-22 09:52:09 EDT

Verified
ipa-client-4.4.0-7.el7.x86_64
sssd-1.14.0-15.el7.x86_64

Now response is much faster to process large group lists compare to 7.2(sssd-1.13.0-40.el7.x86_64) 
Please find the attached file which contains console output.

######## On 7.3 Client ###########

# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@host128 ~]# date; ssh -l aduser99@adtest2.qe master72.testrelm.test
Thu Sep 22 19:10:14 IST 2016
Password: 
Last login: Thu Sep 22 19:05:13 2016 from dhcp35-128.lab.eng.blr.redhat.com
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@host128 ~]# date
Thu Sep 22 19:10:31 IST 2016

[root@host128 ~]# rpm -qa ipa-client sssd
ipa-client-4.4.0-7.el7.x86_64
sssd-1.14.0-15.el7.x86_64


######## On 7.2 Client ###########
root@client72 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@client72 ~]# date
Thu Sep 22 09:08:34 EDT 2016

[root@client72 ~]# ssh -l aduser99@adtest2.qe master72.testrelm.test
Password: 
Last login: Thu Sep 22 16:55:47 2016 from auto-hv-01-guest06.idmqe.lab.eng.bos.redhat.com
-sh-4.2$ 
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@client72 ~]# date
Thu Sep 22 09:11:00 EDT 2016

[root@client72 ~]# rpm -qa ipa-client sssd
ipa-client-4.2.0-15.el7.x86_64
sssd-1.13.0-40.el7.x86_64

Comment 11 Varun Mylaraiah 2016-09-22 09:53 EDT

Created attachment 1203769 [details]
console output

Comment 13 errata-xmlrpc 2016-11-04 03:10:37 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html

Note You need to log in before you can comment on or make changes to this bug.