Bug 1103249 - PAC responder needs much time to process large group lists
Summary: PAC responder needs much time to process large group lists
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd   
(Show other bugs)
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
: 1205926 (view as bug list)
Depends On:
Blocks: 1172231 1205926
TreeView+ depends on / blocked
Reported: 2014-05-30 14:25 UTC by Jakub Hrozek
Modified: 2016-11-04 07:10 UTC (History)
13 users (show)

Fixed In Version: sssd-1.14.0-0.2.beta1.el7
Doc Type: Bug Fix
Doc Text:
Under certain circumstances, the algorithm in the Privilege Attribute Certificate (PAC) responder component of the System Security Services Daemon (SSSD) does not effectively handle users who are members of a large number of groups. As a consequence, logging from Windows clients to Red Hat Enterprise Linux clients with Kerberos single sign-on (SSO) can be noticeably slow. There is currently no known workaround available.
Story Points: ---
Clone Of:
Last Closed: 2016-11-04 07:10:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
console output (17.46 KB, text/plain)
2016-09-22 13:53 UTC, Varun Mylaraiah
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2476 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-11-03 14:08:11 UTC

Description Jakub Hrozek 2014-05-30 14:25:02 UTC
This bug is created as a clone of upstream ticket:

For example, when AD user is part of 500 groups

Comment 4 Jakub Hrozek 2016-02-22 21:19:00 UTC
*** Bug 1205926 has been marked as a duplicate of this bug. ***

Comment 5 Jakub Hrozek 2016-04-13 09:15:33 UTC
* d0d7de66c9494621c1bc12384e41e5e38a77fbeb
* c371993cce13edb9185a5f0db76fbee03f0edc04
* 1df6751f81f7d9c225463f76b9789b0cc7a0de8b
* aa0f39c7c09a55efc8d2282ca56e0e93e220aeba
* 63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4
* 28f336bdb32db0b89cb98174a3f8e308e4e928db
* 7cf0f78d832c7a09b59ee9f91cedc427c0253cd4
* cce3e8526176ce2fe9baa5bda1bb457b996b7bcf

Comment 7 Jatin Nansi 2016-08-12 03:12:34 UTC
Hello Jakub,

We have a customer running RHEL-7.2 who might benefit from this fix, can we get a test package incorporating this fix?

Thank you,

Comment 10 Varun Mylaraiah 2016-09-22 13:52:09 UTC

Now response is much faster to process large group lists compare to 7.2(sssd-1.13.0-40.el7.x86_64) 
Please find the attached file which contains console output.

######## On 7.3 Client ###########

# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@host128 ~]# date; ssh -l aduser99@adtest2.qe master72.testrelm.test
Thu Sep 22 19:10:14 IST 2016
Last login: Thu Sep 22 19:05:13 2016 from dhcp35-128.lab.eng.blr.redhat.com
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@host128 ~]# date
Thu Sep 22 19:10:31 IST 2016

[root@host128 ~]# rpm -qa ipa-client sssd

######## On 7.2 Client ###########
root@client72 ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service

[root@client72 ~]# date
Thu Sep 22 09:08:34 EDT 2016

[root@client72 ~]# ssh -l aduser99@adtest2.qe master72.testrelm.test
Last login: Thu Sep 22 16:55:47 2016 from auto-hv-01-guest06.idmqe.lab.eng.bos.redhat.com
-sh-4.2$ logout
Connection to master72.testrelm.test closed.

[root@client72 ~]# date
Thu Sep 22 09:11:00 EDT 2016

[root@client72 ~]# rpm -qa ipa-client sssd

Comment 11 Varun Mylaraiah 2016-09-22 13:53 UTC
Created attachment 1203769 [details]
console output

Comment 13 errata-xmlrpc 2016-11-04 07:10:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.