Bug 1302349 - accounts-daemon makes sssd perform excessive LDAP queries
Summary: accounts-daemon makes sssd perform excessive LDAP queries
Keywords:
Status: CLOSED DUPLICATE of bug 1220904
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: accountsservice
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-27 14:53 UTC by Jonathan Billings
Modified: 2016-10-21 14:48 UTC (History)
1 user (show)

Fixed In Version: accountsservice-0.6.35-10.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-21 14:48:43 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jonathan Billings 2016-01-27 14:53:14 UTC 
Description of problem:
Our RHEL7.2 workstations are configured to use LDAP for account information.  We provide workstations in computing labs for over ten thousand students.  We have GDM configured to not show a user list, yet when GDM starts, or when a user tries to log in, accounts-daemon asks sssd to look up information for every user who has logged into the system since the 'wtmp' file has been rotated (which is every month, by default).  This might be OK if the passwd information was local, but we have have systems that get a wide range of users and have caused enough traffic that our LDAP admins have complained.

I also see accounts-daemon performing these queries while the user is logged in, I believe when making changes to their gnome session properties.

I'm seeing the same behavior for lightdm (from EPEL) as well as SSH logins.

The only solution I can think of is to rotate the wtmp files daily.

Version-Release number of selected component (if applicable):
accountsservice-0.6.35-9.el7.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Set up SSSD to talk to an LDAP system
2. Run '/usr/libexec/accounts-daemon --debug' so you can watch the queries
3. Log into system

Actual results:
You will see output that looks like this:


(accounts-daemon:39483): DEBUG: user <USERNAME> has 1 groups
(accounts-daemon:39483): DEBUG: loaded user: <USERNAME>


for every <USERNAME> in the output of 'last'.  At least twice for every login, once when the login screen comes up, and once when the user enters their username and then switches to the password field.

Expected results:
accounts-daemon shouldn't be querying every logged-in user every time.

Additional info:
Comment 2 Ray Strode [halfline] 2016-02-09 20:24:09 UTC 
I guess one thing we could do is ignore wtmp entries that are from ssh sessions.  We also should probably avoid enumerating all users if the userlist is disabled.
Comment 3 Ray Strode [halfline] 2016-06-30 19:59:08 UTC 
This got fixed automatically as a side effect of fixing bug 1220904
Comment 4 Zane Zak 2016-10-20 21:13:47 UTC 
Nearly the exact same scenerio for the computer labs I host. 
Red Hat Enterprise 7.2.

NSLCD for user account information.
Kerberos for authentication.


Logging in graphically or via SSH causes a huge number of LDAP requests to be sent off. 

Running NSLCD in debug mode shows that the process generating all the requests is accounts-daemon

accounts-daemon seems to be reading all users from wtmp and requesting info on each one, which in turn gets handed to NSLCD, which does hundreds of queries.

The only solution that I've been able to come up with is cycling the wtmp logs daily so as to limit the number of users that accounts-daemon looks up.
Comment 5 Ray Strode [halfline] 2016-10-21 14:48:43 UTC 
Hi,

This issue should be addressed in the next synchronous update of Red Hat Enterprise Linux 7.

This is really a duplicate of bug 1220904, so I'm going to mark it as such.

*** This bug has been marked as a duplicate of bug 1220904 ***
Note You need to log in before you can comment on or make changes to this bug.