RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1302349 - accounts-daemon makes sssd perform excessive LDAP queries
Summary: accounts-daemon makes sssd perform excessive LDAP queries
Keywords:
Status: CLOSED DUPLICATE of bug 1220904
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: accountsservice
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-27 14:53 UTC by Jonathan Billings
Modified: 2016-10-21 14:48 UTC (History)
1 user (show)

Fixed In Version: accountsservice-0.6.35-10.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-21 14:48:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jonathan Billings 2016-01-27 14:53:14 UTC 
Description of problem:
Our RHEL7.2 workstations are configured to use LDAP for account information.  We provide workstations in computing labs for over ten thousand students.  We have GDM configured to not show a user list, yet when GDM starts, or when a user tries to log in, accounts-daemon asks sssd to look up information for every user who has logged into the system since the 'wtmp' file has been rotated (which is every month, by default).  This might be OK if the passwd information was local, but we have have systems that get a wide range of users and have caused enough traffic that our LDAP admins have complained.

I also see accounts-daemon performing these queries while the user is logged in, I believe when making changes to their gnome session properties.

I'm seeing the same behavior for lightdm (from EPEL) as well as SSH logins.

The only solution I can think of is to rotate the wtmp files daily.

Version-Release number of selected component (if applicable):
accountsservice-0.6.35-9.el7.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Set up SSSD to talk to an LDAP system
2. Run '/usr/libexec/accounts-daemon --debug' so you can watch the queries
3. Log into system

Actual results:
You will see output that looks like this:


(accounts-daemon:39483): DEBUG: user <USERNAME> has 1 groups
(accounts-daemon:39483): DEBUG: loaded user: <USERNAME>


for every <USERNAME> in the output of 'last'.  At least twice for every login, once when the login screen comes up, and once when the user enters their username and then switches to the password field.

Expected results:
accounts-daemon shouldn't be querying every logged-in user every time.

Additional info:
Comment 2 Ray Strode [halfline] 2016-02-09 20:24:09 UTC 
I guess one thing we could do is ignore wtmp entries that are from ssh sessions.  We also should probably avoid enumerating all users if the userlist is disabled.
Comment 3 Ray Strode [halfline] 2016-06-30 19:59:08 UTC 
This got fixed automatically as a side effect of fixing bug 1220904
Comment 4 Zane Zak 2016-10-20 21:13:47 UTC 
Nearly the exact same scenerio for the computer labs I host. 
Red Hat Enterprise 7.2.

NSLCD for user account information.
Kerberos for authentication.


Logging in graphically or via SSH causes a huge number of LDAP requests to be sent off. 

Running NSLCD in debug mode shows that the process generating all the requests is accounts-daemon

accounts-daemon seems to be reading all users from wtmp and requesting info on each one, which in turn gets handed to NSLCD, which does hundreds of queries.

The only solution that I've been able to come up with is cycling the wtmp logs daily so as to limit the number of users that accounts-daemon looks up.
Comment 5 Ray Strode [halfline] 2016-10-21 14:48:43 UTC 
Hi,

This issue should be addressed in the next synchronous update of Red Hat Enterprise Linux 7.

This is really a duplicate of bug 1220904, so I'm going to mark it as such.

*** This bug has been marked as a duplicate of bug 1220904 ***
Note You need to log in before you can comment on or make changes to this bug.