Bug 1542137 - [RFE] Add systemtap probes to display ldapsearch requests and results
Summary: [RFE] Add systemtap probes to display ldapsearch requests and results
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: pre-dev-freeze
: 8.1
Assignee: Tomas Halman
QA Contact: sssd-qe
URL:
Whiteboard: sync-to-jira
Depends On: 1682305
Blocks: 1547051 1689138 1679810
TreeView+ depends on / blocked
 
Reported: 2018-02-05 16:28 UTC by afox@redhat.com
Modified: 2020-04-28 16:56 UTC (History)
11 users (show)

Fixed In Version: sssd-2.2.3-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:55:59 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1863 None None None 2020-04-28 16:56:22 UTC

Description afox@redhat.com 2018-02-05 16:28:32 UTC
Description of problem:
SSSD makes LDAP queries which are encrypted using kerberos/gssapi.  This means that the LDAP queries cannot easily be investgated using tcpdump or wireshark, even when the decrypt kerberos packets option is used with the host keytab file.
It would be useful for debugging purposes to see exactly what LDAP queries are being made and to which servers.  Also the results from these queries.

The existing debug output from SSSD is quite helpful in this respect, but it would be better if a small enhancement were made so that for a specific debug level ( eg 0x0400), SSSD would print out all the details of the LDAP search it is doing, ie the LDAP server IP(and port), the base dn, the scope, filter and attributes requested.  Currently the server and filter are printed on two different lines at different debug levels and there is no indication of base dn, scope or attributes used in the search.  Similarly if the raw results could be displayed (maybe use a different debug level for that in case a large number of results are returned).

This would be extremely useful in debugging what is requested by SSSD and what is returned by the AD server.  Although it is possible to turn on event log debugging on the AD servers themselves, that is not practical in a large environment where there are literally millions of requests each day and the event log would fill far too quickly to be of use.

Version-Release number of selected component (if applicable):
sssd-client-1.14.0-43.el7.x86_64

Comment 6 Jakub Hrozek 2018-02-21 16:50:35 UTC
I would say we should provides probes for e.g. systemtap so that the admin can watch the LDAP searches. I don't think debug messages are the right place.

Please see man sssd-systemtap for example of what is already supported (sorry, I don't know if RHEL already has the man page, here is a link to upstream: https://jhrozek.fedorapeople.org/sssd/1.16.0/man/sssd-systemtap.5.html)

Chances are the probes might even do what the customer wants or that the existing probes need to be adjusted, but I think it's a better way of fulfilling the request than the debug messages.

Comment 8 Lukas Slebodnik 2018-02-21 19:59:44 UTC
(In reply to Jakub Hrozek from comment #6)
> I would say we should provides probes for e.g. systemtap so that the admin
> can watch the LDAP searches. I don't think debug messages are the right
> place.
> 

+1.
It will be really handy for troubleshooting.

Comment 13 Martin Kosek 2019-03-12 13:07:36 UTC
Updating RFE title, to reflect the adjusted scope - adding systemtap probes.

Comment 19 Tomas Halman 2019-11-26 15:10:04 UTC
Upstream PR https://github.com/SSSD/sssd/pull/841

Comment 21 Amith 2020-01-23 13:37:18 UTC
Verified the bug with SSSD Version: sssd-2.2.3-11.el8.x86_64

Steps followed during verification:

1. On one terminal, execute *.stp scripts from /usr/share/sssd/systemtap/* directory.

2. After the execution of script, on another terminal run user/group lookup commands like ID / GETENT PASSWD <USER>.

See results below:
--------------------------------------------------------------------------------------------------------
Case 1: Fetch user from AD domain.

Terminal 1 : 
# sss_cache -E ; getent passwd testuser1@td1f00f7.com
testuser1@td1f00f7.com:*:1351201115:1351200513:testuser1:/home/testuser1@td1f00f7.com:/bin/bash


Terminal 2 :
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testuser1,CN=Users,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200116174928.0Z
[25091] <- uSNChanged: 18489
[25091] <- name: testuser1
[25091] <- objectGUID: �氠;8I�bbpF��
[25091] <- userAccountControl: 66048
[25091] <- primaryGroupID: 513
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testuser1
[25091] <- userPrincipalName: testuser1@td1f00f7.com
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 4 ms
[25091]--------------------------------------------------


^C
===== slowest ldap request =====
base: 'DC=td1f00f7,DC=com'
scope: 2
filter: '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
took: 4 ms

##################################################################################################################################

Case 2: Fetch user from Sub-domain.

Terminal 1 : 
# sss_cache -E ; getent passwd testdomuser1@one1f00f7.td1f00f7.com
testdomuser1@one1f00f7.td1f00f7.com:*:174601109:174601110:testdomuser1:/home/testdomuser1@one1f00f7.td1f00f7.com:/bin/bash

Terminal 2 :
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215803.0Z
[25091] <- uSNChanged: 26534
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1@one1f00f7.td1f00f7.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 3 ms
[25091]--------------------------------------------------
done


^C
===== slowest ldap request =====
base: 'dc=one1f00f7,dc=td1f00f7,dc=com'
scope: 2
filter: '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
took: 3 ms

##################################################################################################################################

Case 3: Fetch group from AD sub-domain.

Terminal 1: 
# sss_cache -E ; getent group testday@one1f00f7.td1f00f7.com
testday@one1f00f7.td1f00f7.com:*:174601110:testdomuser1@one1f00f7.td1f00f7.com

Terminal 2:
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn '', scope 0, filter '(&(DnsDomain=one1f00f7.td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] -> attrs: ["netlogon"]
[25091] <- dn: 
[25091] <- netlogon: 
[25091] ldap response to request: basedn '', scope 0, filter '(&(DnsDomain=one1f00f7.td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn '', scope 0, filter '(objectclass=*)'
[25091] -> attrs: ["*", "altServer", "namingContexts", "supportedControl", "supportedExtension", "supportedFeatures", "supportedLDAPVersion", "supportedSASLMechanisms", "domainControllerFunctionality", "defaultNamingContext", "lastUSN", "highestCommittedUSN"]
[25091] <- dn: 
[25091] <- currentTime: 20200123132248.0Z
[25091] <- subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- dsServiceName: CN=NTDS Settings,CN=CHAD1F00F7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=ForestDnsZones,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=DomainDnsZones,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- defaultNamingContext: DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- schemaNamingContext: CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- configurationNamingContext: CN=Configuration,DC=td1f00f7,DC=com
[25091] <- rootDomainNamingContext: DC=td1f00f7,DC=com
[25091] <- supportedControl: 1.2.840.113556.1.4.319
[25091] <- supportedControl: 1.2.840.113556.1.4.801
[25091] <- supportedControl: 1.2.840.113556.1.4.473
[25091] <- supportedControl: 1.2.840.113556.1.4.528
[25091] <- supportedControl: 1.2.840.113556.1.4.417
[25091] <- supportedControl: 1.2.840.113556.1.4.619
[25091] <- supportedControl: 1.2.840.113556.1.4.841
[25091] <- supportedControl: 1.2.840.113556.1.4.529
[25091] <- supportedControl: 1.2.840.113556.1.4.805
[25091] <- supportedControl: 1.2.840.113556.1.4.521
[25091] <- supportedControl: 1.2.840.113556.1.4.970
[25091] <- supportedControl: 1.2.840.113556.1.4.1338
[25091] <- supportedControl: 1.2.840.113556.1.4.474
[25091] <- supportedControl: 1.2.840.113556.1.4.1339
[25091] <- supportedControl: 1.2.840.113556.1.4.1340
[25091] <- supportedControl: 1.2.840.113556.1.4.1413
[25091] <- supportedControl: 2.16.840.1.113730.3.4.9
[25091] <- supportedControl: 2.16.840.1.113730.3.4.10
[25091] <- supportedControl: 1.2.840.113556.1.4.1504
[25091] <- supportedControl: 1.2.840.113556.1.4.1852
[25091] <- supportedControl: 1.2.840.113556.1.4.802
[25091] <- supportedControl: 1.2.840.113556.1.4.1907
[25091] <- supportedControl: 1.2.840.113556.1.4.1948
[25091] <- supportedControl: 1.2.840.113556.1.4.1974
[25091] <- supportedControl: 1.2.840.113556.1.4.1341
[25091] <- supportedControl: 1.2.840.113556.1.4.2026
[25091] <- supportedControl: 1.2.840.113556.1.4.2064
[25091] <- supportedControl: 1.2.840.113556.1.4.2065
[25091] <- supportedControl: 1.2.840.113556.1.4.2066
[25091] <- supportedControl: 1.2.840.113556.1.4.2090
[25091] <- supportedControl: 1.2.840.113556.1.4.2205
[25091] <- supportedControl: 1.2.840.113556.1.4.2204
[25091] <- supportedControl: 1.2.840.113556.1.4.2206
[25091] <- supportedControl: 1.2.840.113556.1.4.2211
[25091] <- supportedControl: 1.2.840.113556.1.4.2239
[25091] <- supportedControl: 1.2.840.113556.1.4.2255
[25091] <- supportedControl: 1.2.840.113556.1.4.2256
[25091] <- supportedLDAPVersion: 3
[25091] <- supportedLDAPVersion: 2
[25091] <- supportedLDAPPolicies: MaxPoolThreads
[25091] <- supportedLDAPPolicies: MaxPercentDirSyncRequests
[25091] <- supportedLDAPPolicies: MaxDatagramRecv
[25091] <- supportedLDAPPolicies: MaxReceiveBuffer
[25091] <- supportedLDAPPolicies: InitRecvTimeout
[25091] <- supportedLDAPPolicies: MaxConnections
[25091] <- supportedLDAPPolicies: MaxConnIdleTime
[25091] <- supportedLDAPPolicies: MaxPageSize
[25091] <- supportedLDAPPolicies: MaxBatchReturnMessages
[25091] <- supportedLDAPPolicies: MaxQueryDuration
[25091] <- supportedLDAPPolicies: MaxTempTableSize
[25091] <- supportedLDAPPolicies: MaxResultSetSize
[25091] <- supportedLDAPPolicies: MinResultSets
[25091] <- supportedLDAPPolicies: MaxResultSetsPerConn
[25091] <- supportedLDAPPolicies: MaxNotificationPerConn
[25091] <- supportedLDAPPolicies: MaxValRange
[25091] <- supportedLDAPPolicies: MaxValRangeTransitive
[25091] <- supportedLDAPPolicies: ThreadMemoryLimit
[25091] <- supportedLDAPPolicies: SystemMemoryLimitPercent
[25091] <- highestCommittedUSN: 26598
[25091] <- supportedSASLMechanisms: GSSAPI
[25091] <- supportedSASLMechanisms: GSS-SPNEGO
[25091] <- supportedSASLMechanisms: EXTERNAL
[25091] <- supportedSASLMechanisms: DIGEST-MD5
[25091] <- dnsHostName: chad1f00f7.one1f00f7.td1f00f7.com
[25091] <- ldapServiceName: td1f00f7.com:chad1f00f7$@ONE1F00F7.TD1F00F7.COM
[25091] <- serverName: CN=CHAD1F00F7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.800
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1670
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1791
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1935
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.2080
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.2237
[25091] <- isSynchronized: TRUE
[25091] <- isGlobalCatalogReady: TRUE
[25091] <- supportedExtension: 1.3.6.1.4.1.1466.20037
[25091] <- supportedExtension: 1.3.6.1.4.1.1466.101.119.1
[25091] <- supportedExtension: 1.2.840.113556.1.4.1781
[25091] <- supportedExtension: 1.3.6.1.4.1.4203.1.11.3
[25091] <- supportedExtension: 1.2.840.113556.1.4.2212
[25091] <- domainFunctionality: 4
[25091] <- forestFunctionality: 4
[25091] <- domainControllerFunctionality: 6
[25091] ldap response to request: basedn '', scope 0, filter '(objectclass=*)'
[25091] took: 2 ms
[25091]--------------------------------------------------
done
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testday)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23858
[25091] <- objectGUID: ��m��BA���Q����
[25091] <- objectSid: 
[25091] <- sAMAccountName: testday
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testday)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------


^C
===== slowest ldap request =====
base: ''
scope: 0
filter: '(objectclass=*)'
attrs: ["*", "altServer", "namingContexts", "supportedControl", "supportedExtension", "supportedFeatures", "supportedLDAPVersion", "supportedSASLMechanisms", "domainControllerFunctionality", "defaultNamingContext", "lastUSN", "highestCommittedUSN"]
took: 2 ms

##################################################################################################################################

Case 4: Execute ID command on AD sub-domain user.

Terminal 1 :
# id testdomuser1@one1f00f7.td1f00f7.com
uid=174601109(testdomuser1@one1f00f7.td1f00f7.com) gid=174601110(testday@one1f00f7.td1f00f7.com) groups=174601110(testday@one1f00f7.td1f00f7.com),174600513(domain users@one1f00f7.td1f00f7.com)


Terminal 2 :
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215803.0Z
[25091] <- uSNChanged: 26534
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1@one1f00f7.td1f00f7.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 3 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-1110)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23858
[25091] <- objectGUID: ��m��BA���Q����
[25091] <- objectSid: 
[25091] <- sAMAccountName: testday
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-1110)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- memberOf: CN=Domain Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- uSNChanged: 23861
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1@one1f00f7.td1f00f7.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(objectSID=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] -> attrs: ["tokenGroups"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] ldap response to request: basedn 'CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=Domain\20Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=Domain\20Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-513)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=Domain Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- member: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23860
[25091] <- objectGUID: ��a�
                           G�O�AT�0�S�
[25091] <- objectSid: 
[25091] <- sAMAccountName: Domain Users
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-513)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------


===== slowest ldap request =====
base: 'dc=one1f00f7,dc=td1f00f7,dc=com'
scope: 2
filter: '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
took: 3 ms


##################################################################################################################################

Case 5: Execute ID command on AD Domain user.

Terminal 1 :
# sss_cache -E ; id testuser1@td1f00f7.com
uid=1351201115(testuser1@td1f00f7.com) gid=1351200513(domain users@td1f00f7.com) groups=1351200513(domain users@td1f00f7.com)

Terminal 2 :
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testuser1,CN=Users,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200116174928.0Z
[25091] <- uSNChanged: 18489
[25091] <- name: testuser1
[25091] <- objectGUID: �氠;8I�bbpF��
[25091] <- userAccountControl: 66048
[25091] <- primaryGroupID: 513
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testuser1
[25091] <- userPrincipalName: testuser1@td1f00f7.com
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 4 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(objectSID=S-1-5-21-943975968-3308337886-2710116759-513)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=Domain Users,CN=Users,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200116074155.0Z
[25091] <- uSNChanged: 12350
[25091] <- objectGUID: (
                        ��
x�D��_㐪c
[25091] <- objectSid: 
[25091] <- sAMAccountName: Domain Users
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(objectSID=S-1-5-21-943975968-3308337886-2710116759-513)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testuser1,CN=Users,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200116174928.0Z
[25091] <- uSNChanged: 18489
[25091] <- name: testuser1
[25091] <- objectGUID: �氠;8I�bbpF��
[25091] <- userAccountControl: 66048
[25091] <- primaryGroupID: 513
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testuser1
[25091] <- userPrincipalName: testuser1@td1f00f7.com
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(objectSID=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'CN=testuser1,CN=Users,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] -> attrs: ["tokenGroups"]
[25091] <- dn: CN=testuser1,CN=Users,DC=td1f00f7,DC=com
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] ldap response to request: basedn 'CN=testuser1,CN=Users,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] took: 2 ms
[25091]--------------------------------------------------


^C
===== slowest ldap request =====
base: 'DC=td1f00f7,DC=com'
scope: 2
filter: '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
took: 4 ms

##################################################################################################################################

Case 6: Fetch all the groups associated with AD sub-domain user.

Terminal 1:
# sss_cache -E ; groups testdomuser1@one1f00f7.td1f00f7.com
testdomuser1@one1f00f7.td1f00f7.com : testday@one1f00f7.td1f00f7.com domain users@one1f00f7.td1f00f7.com

Terminal 2:
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====





[25091] -> ldap request: basedn '', scope 0, filter '(&(DnsDomain=td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] -> attrs: ["netlogon"]
[25091] <- dn: 
[25091] <- netlogon: 
[25091] ldap response to request: basedn '', scope 0, filter '(&(DnsDomain=td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn '', scope 0, filter '(objectclass=*)'
[25091] -> attrs: ["*", "altServer", "namingContexts", "supportedControl", "supportedExtension", "supportedFeatures", "supportedLDAPVersion", "supportedSASLMechanisms", "domainControllerFunctionality", "defaultNamingContext", "lastUSN", "highestCommittedUSN"]
[25091] <- dn: 
[25091] <- currentTime: 20200123133152.0Z
[25091] <- subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- dsServiceName: CN=NTDS Settings,CN=CHAD21F00F7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=ForestDnsZones,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=two1f00f7,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=DomainDnsZones,DC=two1f00f7,DC=td1f00f7,DC=com
[25091] <- defaultNamingContext: DC=two1f00f7,DC=td1f00f7,DC=com
[25091] <- schemaNamingContext: CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- configurationNamingContext: CN=Configuration,DC=td1f00f7,DC=com
[25091] <- rootDomainNamingContext: DC=td1f00f7,DC=com
[25091] <- supportedControl: 1.2.840.113556.1.4.319
[25091] <- supportedControl: 1.2.840.113556.1.4.801
[25091] <- supportedControl: 1.2.840.113556.1.4.473
[25091] <- supportedControl: 1.2.840.113556.1.4.528
[25091] <- supportedControl: 1.2.840.113556.1.4.417
[25091] <- supportedControl: 1.2.840.113556.1.4.619
[25091] <- supportedControl: 1.2.840.113556.1.4.841
[25091] <- supportedControl: 1.2.840.113556.1.4.529
[25091] <- supportedControl: 1.2.840.113556.1.4.805
[25091] <- supportedControl: 1.2.840.113556.1.4.521
[25091] <- supportedControl: 1.2.840.113556.1.4.970
[25091] <- supportedControl: 1.2.840.113556.1.4.1338
[25091] <- supportedControl: 1.2.840.113556.1.4.474
[25091] <- supportedControl: 1.2.840.113556.1.4.1339
[25091] <- supportedControl: 1.2.840.113556.1.4.1340
[25091] <- supportedControl: 1.2.840.113556.1.4.1413
[25091] <- supportedControl: 2.16.840.1.113730.3.4.9
[25091] <- supportedControl: 2.16.840.1.113730.3.4.10
[25091] <- supportedControl: 1.2.840.113556.1.4.1504
[25091] <- supportedControl: 1.2.840.113556.1.4.1852
[25091] <- supportedControl: 1.2.840.113556.1.4.802
[25091] <- supportedControl: 1.2.840.113556.1.4.1907
[25091] <- supportedControl: 1.2.840.113556.1.4.1948
[25091] <- supportedControl: 1.2.840.113556.1.4.1974
[25091] <- supportedControl: 1.2.840.113556.1.4.1341
[25091] <- supportedControl: 1.2.840.113556.1.4.2026
[25091] <- supportedControl: 1.2.840.113556.1.4.2064
[25091] <- supportedControl: 1.2.840.113556.1.4.2065
[25091] <- supportedControl: 1.2.840.113556.1.4.2066
[25091] <- supportedControl: 1.2.840.113556.1.4.2090
[25091] <- supportedControl: 1.2.840.113556.1.4.2205
[25091] <- supportedControl: 1.2.840.113556.1.4.2204
[25091] <- supportedControl: 1.2.840.113556.1.4.2206
[25091] <- supportedControl: 1.2.840.113556.1.4.2211
[25091] <- supportedControl: 1.2.840.113556.1.4.2239
[25091] <- supportedControl: 1.2.840.113556.1.4.2255
[25091] <- supportedControl: 1.2.840.113556.1.4.2256
[25091] <- supportedLDAPVersion: 3
[25091] <- supportedLDAPVersion: 2
[25091] <- supportedLDAPPolicies: MaxPoolThreads
[25091] <- supportedLDAPPolicies: MaxPercentDirSyncRequests
[25091] <- supportedLDAPPolicies: MaxDatagramRecv
[25091] <- supportedLDAPPolicies: MaxReceiveBuffer
[25091] <- supportedLDAPPolicies: InitRecvTimeout
[25091] <- supportedLDAPPolicies: MaxConnections
[25091] <- supportedLDAPPolicies: MaxConnIdleTime
[25091] <- supportedLDAPPolicies: MaxPageSize
[25091] <- supportedLDAPPolicies: MaxBatchReturnMessages
[25091] <- supportedLDAPPolicies: MaxQueryDuration
[25091] <- supportedLDAPPolicies: MaxTempTableSize
[25091] <- supportedLDAPPolicies: MaxResultSetSize
[25091] <- supportedLDAPPolicies: MinResultSets
[25091] <- supportedLDAPPolicies: MaxResultSetsPerConn
[25091] <- supportedLDAPPolicies: MaxNotificationPerConn
[25091] <- supportedLDAPPolicies: MaxValRange
[25091] <- supportedLDAPPolicies: MaxValRangeTransitive
[25091] <- supportedLDAPPolicies: ThreadMemoryLimit
[25091] <- supportedLDAPPolicies: SystemMemoryLimitPercent
[25091] <- highestCommittedUSN: 26745
[25091] <- supportedSASLMechanisms: GSSAPI
[25091] <- supportedSASLMechanisms: GSS-SPNEGO
[25091] <- supportedSASLMechanisms: EXTERNAL
[25091] <- supportedSASLMechanisms: DIGEST-MD5
[25091] <- dnsHostName: chad21f00f7.two1f00f7.td1f00f7.com
[25091] <- ldapServiceName: td1f00f7.com:chad21f00f7$@TWO1F00F7.TD1F00F7.COM
[25091] <- serverName: CN=CHAD21F00F7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.800
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1670
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1791
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1935
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.2080
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.2237
[25091] <- isSynchronized: TRUE
[25091] <- isGlobalCatalogReady: TRUE
[25091] <- supportedExtension: 1.3.6.1.4.1.1466.20037
[25091] <- supportedExtension: 1.3.6.1.4.1.1466.101.119.1
[25091] <- supportedExtension: 1.2.840.113556.1.4.1781
[25091] <- supportedExtension: 1.3.6.1.4.1.4203.1.11.3
[25091] <- supportedExtension: 1.2.840.113556.1.4.2212
[25091] <- domainFunctionality: 4
[25091] <- forestFunctionality: 4
[25091] <- domainControllerFunctionality: 6
[25091] ldap response to request: basedn '', scope 0, filter '(objectclass=*)'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn '', scope 0, filter '(&(DnsDomain=td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] -> attrs: ["netlogon"]
[25091] <- dn: 
[25091] <- netlogon: 
[25091] ldap response to request: basedn '', scope 0, filter '(&(DnsDomain=td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] took: 1 ms
[25091]--------------------------------------------------
done
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215800.0Z
[25091] <- uSNChanged: 23991
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1@one1f00f7.td1f00f7.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-1110)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23858
[25091] <- objectGUID: ��m��BA���Q����
[25091] <- objectSid: 
[25091] <- sAMAccountName: testday
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-1110)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- memberOf: CN=Domain Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- uSNChanged: 23861
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1@one1f00f7.td1f00f7.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(objectSID=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] -> attrs: ["tokenGroups"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] ldap response to request: basedn 'CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 15 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=Domain\20Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=Domain\20Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-513)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=Domain Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- member: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23860
[25091] <- objectGUID: ��a�
                           G�O�AT�0�S�
[25091] <- objectSid: 
[25091] <- sAMAccountName: Domain Users
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-513)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------

Comment 23 errata-xmlrpc 2020-04-28 16:55:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863


Note You need to log in before you can comment on or make changes to this bug.