Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1103249 - PAC responder needs much time to process large group lists
PAC responder needs much time to process large group lists
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Steeve Goveas
:
: 1205926 (view as bug list)
Depends On:
Blocks: 1172231 1205926
  Show dependency treegraph
 
Reported: 2014-05-30 10:25 EDT by Jakub Hrozek
Modified: 2016-11-04 03:10 EDT (History)
13 users (show)

See Also:
Fixed In Version: sssd-1.14.0-0.2.beta1.el7
Doc Type: Bug Fix
Doc Text:
Under certain circumstances, the algorithm in the Privilege Attribute Certificate (PAC) responder component of the System Security Services Daemon (SSSD) does not effectively handle users who are members of a large number of groups. As a consequence, logging from Windows clients to Red Hat Enterprise Linux clients with Kerberos single sign-on (SSO) can be noticeably slow. There is currently no known workaround available.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 03:10:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
console output (17.46 KB, text/plain)
2016-09-22 09:53 EDT, Varun Mylaraiah
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2476 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-11-03 10:08:11 EDT

  None (edit)
Description Jakub Hrozek 2014-05-30 10:25:02 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2158

For example, when AD user is part of 500 groups
Comment 4 Jakub Hrozek 2016-02-22 16:19:00 EST
*** Bug 1205926 has been marked as a duplicate of this bug. ***
Comment 5 Jakub Hrozek 2016-04-13 05:15:33 EDT
* d0d7de66c9494621c1bc12384e41e5e38a77fbeb
* c371993cce13edb9185a5f0db76fbee03f0edc04
* 1df6751f81f7d9c225463f76b9789b0cc7a0de8b
* aa0f39c7c09a55efc8d2282ca56e0e93e220aeba
* 63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4
* 28f336bdb32db0b89cb98174a3f8e308e4e928db
* 7cf0f78d832c7a09b59ee9f91cedc427c0253cd4
* cce3e8526176ce2fe9baa5bda1bb457b996b7bcf
Comment 7 Jatin Nansi 2016-08-11 23:12:34 EDT
Hello Jakub,

We have a customer running RHEL-7.2 who might benefit from this fix, can we get a test package incorporating this fix?

Thank you,
Jatin
Comment 10 Varun Mylaraiah 2016-09-22 09:52:09 EDT
Verified
ipa-client-4.4.0-7.el7.x86_64
sssd-1.14.0-15.el7.x86_64

Now response is much faster to process large group lists compare to 7.2(sssd-1.13.0-40.el7.x86_64) 
Please find the attached file which contains console output.

######## On 7.3 Client ###########

# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@host128 ~]# date; ssh -l aduser99@adtest2.qe master72.testrelm.test
Thu Sep 22 19:10:14 IST 2016
Password: 
Last login: Thu Sep 22 19:05:13 2016 from dhcp35-128.lab.eng.blr.redhat.com
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@host128 ~]# date
Thu Sep 22 19:10:31 IST 2016

[root@host128 ~]# rpm -qa ipa-client sssd
ipa-client-4.4.0-7.el7.x86_64
sssd-1.14.0-15.el7.x86_64


######## On 7.2 Client ###########
root@client72 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@client72 ~]# date
Thu Sep 22 09:08:34 EDT 2016

[root@client72 ~]# ssh -l aduser99@adtest2.qe master72.testrelm.test
Password: 
Last login: Thu Sep 22 16:55:47 2016 from auto-hv-01-guest06.idmqe.lab.eng.bos.redhat.com
-sh-4.2$ 
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@client72 ~]# date
Thu Sep 22 09:11:00 EDT 2016

[root@client72 ~]# rpm -qa ipa-client sssd
ipa-client-4.2.0-15.el7.x86_64
sssd-1.13.0-40.el7.x86_64
Comment 11 Varun Mylaraiah 2016-09-22 09:53 EDT
Created attachment 1203769 [details]
console output
Comment 13 errata-xmlrpc 2016-11-04 03:10:37 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html

Note You need to log in before you can comment on or make changes to this bug.