Bug 1127270 - sssd connect to ipa-server is long
Summary: sssd connect to ipa-server is long
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-06 13:53 UTC by David Spurek
Modified: 2015-03-02 05:29 UTC (History)
11 users (show)

Fixed In Version: sssd-1.11.6-27.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 04:49:22 UTC


Attachments (Terms of Use)
ldap_child.log (22.98 KB, text/x-log)
2014-08-07 08:26 UTC, David Spurek
no flags Details
ldap.log for KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI (83.19 KB, text/x-log)
2014-08-07 08:28 UTC, David Spurek
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description David Spurek 2014-08-06 13:53:52 UTC
Description of problem:
sssd connect to ipa-server is long. I can switch to user from ipa server (su - <ipa_user>)after 1 minute for example.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-42.el6
sssd-1.11.6-12.el6

How reproducible:
always

Steps to Reproduce:
1.install ipa-server; add user to ipa-server
2.server sssd stop
3.rm -rf /var/lib/sss/db/*
4.service sssd start
5.su - <ipa_user>

Actual results:
I can switch after long, for example 1 minute

Expected results:
I can switch immediately after sssd start

Additional info:

Comment 4 Jakub Hrozek 2014-08-06 16:22:37 UTC
Please attach all logs, especially ldap_child.log with debug_level=10 and also output of ldapsearch using -Y GSSAPI with KRB5_TRACE=/dev/stderr

Comment 5 Jakub Hrozek 2014-08-06 16:24:18 UTC
By the way there is no reason to use sudo_provider=ldap in 6.6, you should use sudo_provider=ipa (which would re-use existing connection).

And lastly -- because you set the Regression keyword, please make sure that simple downgrading to the 6.5 packages *on the same host, using the same keytab* makes the problem go away.

Comment 6 David Spurek 2014-08-07 08:25:07 UTC
Thanks, I know that sudo_provider=ipa is supported in rhel 6.6 but some customers may use old setup and only update sssd. Then they will hit this issue.

I try downgrade to sssd-1.9.2-129.el6 and it works fine, immediately connects to ipa-server.

Comment 7 David Spurek 2014-08-07 08:26:00 UTC
Created attachment 924785 [details]
ldap_child.log

ldap_child.log with debug_level=10

Comment 8 David Spurek 2014-08-07 08:28:55 UTC
Created attachment 924787 [details]
ldap.log for KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI

Comment 11 Pavel Březina 2014-08-18 16:55:46 UTC
The problem is a race condition between initial sudo full refresh and subdomains refresh task. David has sudo configured with ldap provider and the rest uses ipa (i.e. pre 1.9 sudo configuration).

Sudo full refresh tries to acquire TGT but before it finish subdomains refresh invokes the same operation. The first one finishes successfully but the second one will fail with "Failed to init ccache: Internal credentials cache error" since the credentials cache is just being initialized. Thus the provider goes offline which creates the 60 seconds delay.

There is no problem with improved 1.11 configuration but we need to fix it.

Comment 12 Jakub Hrozek 2014-08-19 09:25:28 UTC
(In reply to Pavel Březina from comment #11)
> There is no problem with improved 1.11 configuration but we need to fix it.

OK, I'll clone upstream. Please take the ticket upstream if you have an idea on solving this.

Comment 13 Jakub Hrozek 2014-08-19 09:27:09 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2410

Comment 14 Jakub Hrozek 2014-08-26 14:57:04 UTC
* master
     * 5c075562ac687f7102c7c940fec2e82da378bfff
     * ad9d65039fd15a9b63b5772c0c4cdc29ffac93fa 
* sssd-1-11:
     * 1cd03a904769a23c624abcfc6916f767f993d60d
     * 485c915767f060c577f181a21f02991f5e7b190f

Comment 16 Namita Soman 2014-09-11 15:38:48 UTC
Taking steps as below using 
sssd-1.11.6-28.el6.x86_64
ipa-server-3.0.0-42.el6.x86_64


Installed ipa server then followed commands below - based on test script mentioned in comment 10:
# kinit admin
Password for admin@TESTRELM.TEST: 

# ipa hostgroup-add --desc="test hostgroup 1" hostgrp1
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: test hostgroup 1

# ipa hostgroup-add-member --hosts=idm-qe-03.testrelm.test hostgrp1
  Host-group: hostgrp1
  Description: test hostgroup 1
  Member hosts: idm-qe-03.testrelm.test
-------------------------
Number of members added 1
-------------------------

# ipa sudorule-add sudorule1
---------------------------
Added Sudo Rule "sudorule1"
---------------------------
  Rule name: sudorule1
  Enabled: TRUE

# ipa user-add --first=test --last=user2 --cn=tuser2 --email=tuser2@testrelm.test --random tuser2
-------------------
Added user "tuser2"
-------------------
  User login: tuser2
  First name: test
  Last name: user2
  Full name: tuser2
  Display name: test user2
  Initials: tu
  Home directory: /home/tuser2
  GECOS field: test user2
  Login shell: /bin/sh
  Kerberos principal: tuser2@TESTRELM.TEST
  Email address: tuser2@testrelm.test
  Random password: niY8WJ1s2U5g
  UID: 609800001
  GID: 609800001
  Password: True
  Kerberos keys available: True

# ipa sudorule-add-user --users=tuser2 sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
-------------------------
Number of members added 1
-------------------------

# ipa sudorule-add-host --hostgroups=hostgrp1 sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
  Host Groups: hostgrp1
-------------------------
Number of members added 1
-------------------------
[root@idm-qe-03 ~]# ipa sudocmd-add "/bin/date"
------------------------------
Added Sudo Command "/bin/date"
------------------------------
  Sudo Command: /bin/date

# ipa sudorule-add-allow-command sudorule1 --sudocmds="/bin/date"
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
  Host Groups: hostgrp1
  Sudo Allow Commands: /bin/date
-------------------------
Number of members added 1
-------------------------

# ipa hostgroup-show hostgrp1
  Host-group: hostgrp1
  Description: test hostgroup 1
  Member hosts: idm-qe-03.testrelm.test
  Member of Sudo rule: sudorule1

# ipa sudorule-show sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
  Host Groups: hostgrp1
  Sudo Allow Commands: /bin/date

# getent netgroup hostgrp1
hostgrp1              (idm-qe-03.testrelm.test,-,testrelm.test)

Updated sssd.con as in:
# cat /etc/sssd/sssd.conf
[domain/testrelm.test]
ldap_sudo_search_base = ou=sudoers,dc=testrelm,dc=test
ldap_sasl_realm = TESTRELM.TEST
krb5_server = idm-qe-03.testrelm.test 
ldap_sasl_authid = host/idm-qe-03.testrelm.test
ldap_sasl_mech = GSSAPI
ldap_uri = ldap://idm-qe-03.testrelm.test
sudo_provider = ldap

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = idm-qe-03.testrelm.test
chpass_provider = ipa
ipa_server = idm-qe-03.testrelm.test
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = testrelm.test
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


# rpm -q mod_ssl
package mod_ssl is not installed

# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

# cat /etc/nsswitch.conf| grep sudoers
sudoers: files sss

# service sssd stop
Stopping sssd: [  OK  ]

# rm -rf /var/lib/sss/db/*

# service sssd start
Starting sssd: [  OK  ]

# su - tuser2
su: warning: cannot change directory to /home/tuser2: No such file or directory
-sh-4.1$ 

And switched to ipa user - tuser2 - promptly - with no delay.

Pavel, would like to see if this verifies the bz?

Comment 19 Namita Soman 2014-09-12 10:30:58 UTC
Confirmed with David that the steps are right. he indicated there was a race condition which was caused by using ldap provider for sudo and ipa provider for the rest. Desribed use case worked in rhel 6.5, you have to use sssd 1.11 without the patch for this bug (for example sssd-1.11.6-12.el6).

Not seeing the race condition in current build - so marking verified.

Comment 20 errata-xmlrpc 2014-10-14 04:49:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html


Note You need to log in before you can comment on or make changes to this bug.