1127270 – sssd connect to ipa-server is long

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1127270 - sssd connect to ipa-server is long

Summary: sssd connect to ipa-server is long

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-06 13:53 UTC by David Spurek
Modified:	2020-05-02 17:47 UTC (History)
CC List:	11 users (show)
Fixed In Version:	sssd-1.11.6-27.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 04:49:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ldap_child.log (22.98 KB, text/x-log) 2014-08-07 08:26 UTC, David Spurek	no flags	Details
ldap.log for KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI (83.19 KB, text/x-log) 2014-08-07 08:28 UTC, David Spurek	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3452	0	None	None	None	2020-05-02 17:47:18 UTC
Red Hat Product Errata	RHBA-2014:1375	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2014-10-14 01:06:25 UTC

Description David Spurek 2014-08-06 13:53:52 UTC

Description of problem:
sssd connect to ipa-server is long. I can switch to user from ipa server (su - <ipa_user>)after 1 minute for example.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-42.el6
sssd-1.11.6-12.el6

How reproducible:
always

Steps to Reproduce:
1.install ipa-server; add user to ipa-server
2.server sssd stop
3.rm -rf /var/lib/sss/db/*
4.service sssd start
5.su - <ipa_user>

Actual results:
I can switch after long, for example 1 minute

Expected results:
I can switch immediately after sssd start

Additional info:

Comment 4 Jakub Hrozek 2014-08-06 16:22:37 UTC

Please attach all logs, especially ldap_child.log with debug_level=10 and also output of ldapsearch using -Y GSSAPI with KRB5_TRACE=/dev/stderr

Comment 5 Jakub Hrozek 2014-08-06 16:24:18 UTC

By the way there is no reason to use sudo_provider=ldap in 6.6, you should use sudo_provider=ipa (which would re-use existing connection).

And lastly -- because you set the Regression keyword, please make sure that simple downgrading to the 6.5 packages *on the same host, using the same keytab* makes the problem go away.

Comment 6 David Spurek 2014-08-07 08:25:07 UTC

Thanks, I know that sudo_provider=ipa is supported in rhel 6.6 but some customers may use old setup and only update sssd. Then they will hit this issue.

I try downgrade to sssd-1.9.2-129.el6 and it works fine, immediately connects to ipa-server.

Comment 7 David Spurek 2014-08-07 08:26:00 UTC

Created attachment 924785 [details]
ldap_child.log

ldap_child.log with debug_level=10

Comment 8 David Spurek 2014-08-07 08:28:55 UTC

Created attachment 924787 [details]
ldap.log for KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI

Comment 11 Pavel Březina 2014-08-18 16:55:46 UTC

The problem is a race condition between initial sudo full refresh and subdomains refresh task. David has sudo configured with ldap provider and the rest uses ipa (i.e. pre 1.9 sudo configuration).

Sudo full refresh tries to acquire TGT but before it finish subdomains refresh invokes the same operation. The first one finishes successfully but the second one will fail with "Failed to init ccache: Internal credentials cache error" since the credentials cache is just being initialized. Thus the provider goes offline which creates the 60 seconds delay.

There is no problem with improved 1.11 configuration but we need to fix it.

Comment 12 Jakub Hrozek 2014-08-19 09:25:28 UTC

(In reply to Pavel Březina from comment #11)
> There is no problem with improved 1.11 configuration but we need to fix it.

OK, I'll clone upstream. Please take the ticket upstream if you have an idea on solving this.

Comment 13 Jakub Hrozek 2014-08-19 09:27:09 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2410

Comment 14 Jakub Hrozek 2014-08-26 14:57:04 UTC

* master
     * 5c075562ac687f7102c7c940fec2e82da378bfff
     * ad9d65039fd15a9b63b5772c0c4cdc29ffac93fa 
* sssd-1-11:
     * 1cd03a904769a23c624abcfc6916f767f993d60d
     * 485c915767f060c577f181a21f02991f5e7b190f

Comment 16 Namita Soman 2014-09-11 15:38:48 UTC

Taking steps as below using 
sssd-1.11.6-28.el6.x86_64
ipa-server-3.0.0-42.el6.x86_64


Installed ipa server then followed commands below - based on test script mentioned in comment 10:
# kinit admin
Password for admin: 

# ipa hostgroup-add --desc="test hostgroup 1" hostgrp1
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: test hostgroup 1

# ipa hostgroup-add-member --hosts=idm-qe-03.testrelm.test hostgrp1
  Host-group: hostgrp1
  Description: test hostgroup 1
  Member hosts: idm-qe-03.testrelm.test
-------------------------
Number of members added 1
-------------------------

# ipa sudorule-add sudorule1
---------------------------
Added Sudo Rule "sudorule1"
---------------------------
  Rule name: sudorule1
  Enabled: TRUE

# ipa user-add --first=test --last=user2 --cn=tuser2 --email=tuser2 --random tuser2
-------------------
Added user "tuser2"
-------------------
  User login: tuser2
  First name: test
  Last name: user2
  Full name: tuser2
  Display name: test user2
  Initials: tu
  Home directory: /home/tuser2
  GECOS field: test user2
  Login shell: /bin/sh
  Kerberos principal: tuser2
  Email address: tuser2
  Random password: niY8WJ1s2U5g
  UID: 609800001
  GID: 609800001
  Password: True
  Kerberos keys available: True

# ipa sudorule-add-user --users=tuser2 sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
-------------------------
Number of members added 1
-------------------------

# ipa sudorule-add-host --hostgroups=hostgrp1 sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
  Host Groups: hostgrp1
-------------------------
Number of members added 1
-------------------------
[root@idm-qe-03 ~]# ipa sudocmd-add "/bin/date"
------------------------------
Added Sudo Command "/bin/date"
------------------------------
  Sudo Command: /bin/date

# ipa sudorule-add-allow-command sudorule1 --sudocmds="/bin/date"
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
  Host Groups: hostgrp1
  Sudo Allow Commands: /bin/date
-------------------------
Number of members added 1
-------------------------

# ipa hostgroup-show hostgrp1
  Host-group: hostgrp1
  Description: test hostgroup 1
  Member hosts: idm-qe-03.testrelm.test
  Member of Sudo rule: sudorule1

# ipa sudorule-show sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser2
  Host Groups: hostgrp1
  Sudo Allow Commands: /bin/date

# getent netgroup hostgrp1
hostgrp1              (idm-qe-03.testrelm.test,-,testrelm.test)

Updated sssd.con as in:
# cat /etc/sssd/sssd.conf
[domain/testrelm.test]
ldap_sudo_search_base = ou=sudoers,dc=testrelm,dc=test
ldap_sasl_realm = TESTRELM.TEST
krb5_server = idm-qe-03.testrelm.test 
ldap_sasl_authid = host/idm-qe-03.testrelm.test
ldap_sasl_mech = GSSAPI
ldap_uri = ldap://idm-qe-03.testrelm.test
sudo_provider = ldap

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = idm-qe-03.testrelm.test
chpass_provider = ipa
ipa_server = idm-qe-03.testrelm.test
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = testrelm.test
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


# rpm -q mod_ssl
package mod_ssl is not installed

# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

# cat /etc/nsswitch.conf| grep sudoers
sudoers: files sss

# service sssd stop
Stopping sssd: [  OK  ]

# rm -rf /var/lib/sss/db/*

# service sssd start
Starting sssd: [  OK  ]

# su - tuser2
su: warning: cannot change directory to /home/tuser2: No such file or directory
-sh-4.1$ 

And switched to ipa user - tuser2 - promptly - with no delay.

Pavel, would like to see if this verifies the bz?

Comment 19 Namita Soman 2014-09-12 10:30:58 UTC

Confirmed with David that the steps are right. he indicated there was a race condition which was caused by using ldap provider for sudo and ipa provider for the rest. Desribed use case worked in rhel 6.5, you have to use sssd 1.11 without the patch for this bug (for example sssd-1.11.6-12.el6).

Not seeing the race condition in current build - so marking verified.

Comment 20 errata-xmlrpc 2014-10-14 04:49:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html

Note You need to log in before you can comment on or make changes to this bug.