Bug 1542137

I would say we should provides probes for e.g. systemtap so that the admin can watch the LDAP searches. I don't think debug messages are the right place.

Please see man sssd-systemtap for example of what is already supported (sorry, I don't know if RHEL already has the man page, here is a link to upstream: https://jhrozek.fedorapeople.org/sssd/1.16.0/man/sssd-systemtap.5.html)

Chances are the probes might even do what the customer wants or that the existing probes need to be adjusted, but I think it's a better way of fulfilling the request than the debug messages.

(In reply to Jakub Hrozek from comment #6)
> I would say we should provides probes for e.g. systemtap so that the admin
> can watch the LDAP searches. I don't think debug messages are the right
> place.
> 

+1.
It will be really handy for troubleshooting.

Updating RFE title, to reflect the adjusted scope - adding systemtap probes.

Upstream PR https://github.com/SSSD/sssd/pull/841

Verified the bug with SSSD Version: sssd-2.2.3-11.el8.x86_64

Steps followed during verification:

1. On one terminal, execute *.stp scripts from /usr/share/sssd/systemtap/* directory.

2. After the execution of script, on another terminal run user/group lookup commands like ID / GETENT PASSWD <USER>.

See results below:
--------------------------------------------------------------------------------------------------------
Case 1: Fetch user from AD domain.

Terminal 1 : 
# sss_cache -E ; getent passwd testuser1
testuser1:*:1351201115:1351200513:testuser1:/home/testuser1:/bin/bash


Terminal 2 :
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testuser1,CN=Users,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200116174928.0Z
[25091] <- uSNChanged: 18489
[25091] <- name: testuser1
[25091] <- objectGUID: �氠;8I�bbpF��
[25091] <- userAccountControl: 66048
[25091] <- primaryGroupID: 513
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testuser1
[25091] <- userPrincipalName: testuser1
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 4 ms
[25091]--------------------------------------------------


^C
===== slowest ldap request =====
base: 'DC=td1f00f7,DC=com'
scope: 2
filter: '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
took: 4 ms

##################################################################################################################################

Case 2: Fetch user from Sub-domain.

Terminal 1 : 
# sss_cache -E ; getent passwd testdomuser1.com
testdomuser1.com:*:174601109:174601110:testdomuser1:/home/testdomuser1.com:/bin/bash

Terminal 2 :
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215803.0Z
[25091] <- uSNChanged: 26534
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 3 ms
[25091]--------------------------------------------------
done


^C
===== slowest ldap request =====
base: 'dc=one1f00f7,dc=td1f00f7,dc=com'
scope: 2
filter: '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
took: 3 ms

##################################################################################################################################

Case 3: Fetch group from AD sub-domain.

Terminal 1: 
# sss_cache -E ; getent group testday.com
testday.com:*:174601110:testdomuser1.com

Terminal 2:
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn '', scope 0, filter '(&(DnsDomain=one1f00f7.td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] -> attrs: ["netlogon"]
[25091] <- dn: 
[25091] <- netlogon: 
[25091] ldap response to request: basedn '', scope 0, filter '(&(DnsDomain=one1f00f7.td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn '', scope 0, filter '(objectclass=*)'
[25091] -> attrs: ["*", "altServer", "namingContexts", "supportedControl", "supportedExtension", "supportedFeatures", "supportedLDAPVersion", "supportedSASLMechanisms", "domainControllerFunctionality", "defaultNamingContext", "lastUSN", "highestCommittedUSN"]
[25091] <- dn: 
[25091] <- currentTime: 20200123132248.0Z
[25091] <- subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- dsServiceName: CN=NTDS Settings,CN=CHAD1F00F7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=ForestDnsZones,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=DomainDnsZones,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- defaultNamingContext: DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- schemaNamingContext: CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- configurationNamingContext: CN=Configuration,DC=td1f00f7,DC=com
[25091] <- rootDomainNamingContext: DC=td1f00f7,DC=com
[25091] <- supportedControl: 1.2.840.113556.1.4.319
[25091] <- supportedControl: 1.2.840.113556.1.4.801
[25091] <- supportedControl: 1.2.840.113556.1.4.473
[25091] <- supportedControl: 1.2.840.113556.1.4.528
[25091] <- supportedControl: 1.2.840.113556.1.4.417
[25091] <- supportedControl: 1.2.840.113556.1.4.619
[25091] <- supportedControl: 1.2.840.113556.1.4.841
[25091] <- supportedControl: 1.2.840.113556.1.4.529
[25091] <- supportedControl: 1.2.840.113556.1.4.805
[25091] <- supportedControl: 1.2.840.113556.1.4.521
[25091] <- supportedControl: 1.2.840.113556.1.4.970
[25091] <- supportedControl: 1.2.840.113556.1.4.1338
[25091] <- supportedControl: 1.2.840.113556.1.4.474
[25091] <- supportedControl: 1.2.840.113556.1.4.1339
[25091] <- supportedControl: 1.2.840.113556.1.4.1340
[25091] <- supportedControl: 1.2.840.113556.1.4.1413
[25091] <- supportedControl: 2.16.840.1.113730.3.4.9
[25091] <- supportedControl: 2.16.840.1.113730.3.4.10
[25091] <- supportedControl: 1.2.840.113556.1.4.1504
[25091] <- supportedControl: 1.2.840.113556.1.4.1852
[25091] <- supportedControl: 1.2.840.113556.1.4.802
[25091] <- supportedControl: 1.2.840.113556.1.4.1907
[25091] <- supportedControl: 1.2.840.113556.1.4.1948
[25091] <- supportedControl: 1.2.840.113556.1.4.1974
[25091] <- supportedControl: 1.2.840.113556.1.4.1341
[25091] <- supportedControl: 1.2.840.113556.1.4.2026
[25091] <- supportedControl: 1.2.840.113556.1.4.2064
[25091] <- supportedControl: 1.2.840.113556.1.4.2065
[25091] <- supportedControl: 1.2.840.113556.1.4.2066
[25091] <- supportedControl: 1.2.840.113556.1.4.2090
[25091] <- supportedControl: 1.2.840.113556.1.4.2205
[25091] <- supportedControl: 1.2.840.113556.1.4.2204
[25091] <- supportedControl: 1.2.840.113556.1.4.2206
[25091] <- supportedControl: 1.2.840.113556.1.4.2211
[25091] <- supportedControl: 1.2.840.113556.1.4.2239
[25091] <- supportedControl: 1.2.840.113556.1.4.2255
[25091] <- supportedControl: 1.2.840.113556.1.4.2256
[25091] <- supportedLDAPVersion: 3
[25091] <- supportedLDAPVersion: 2
[25091] <- supportedLDAPPolicies: MaxPoolThreads
[25091] <- supportedLDAPPolicies: MaxPercentDirSyncRequests
[25091] <- supportedLDAPPolicies: MaxDatagramRecv
[25091] <- supportedLDAPPolicies: MaxReceiveBuffer
[25091] <- supportedLDAPPolicies: InitRecvTimeout
[25091] <- supportedLDAPPolicies: MaxConnections
[25091] <- supportedLDAPPolicies: MaxConnIdleTime
[25091] <- supportedLDAPPolicies: MaxPageSize
[25091] <- supportedLDAPPolicies: MaxBatchReturnMessages
[25091] <- supportedLDAPPolicies: MaxQueryDuration
[25091] <- supportedLDAPPolicies: MaxTempTableSize
[25091] <- supportedLDAPPolicies: MaxResultSetSize
[25091] <- supportedLDAPPolicies: MinResultSets
[25091] <- supportedLDAPPolicies: MaxResultSetsPerConn
[25091] <- supportedLDAPPolicies: MaxNotificationPerConn
[25091] <- supportedLDAPPolicies: MaxValRange
[25091] <- supportedLDAPPolicies: MaxValRangeTransitive
[25091] <- supportedLDAPPolicies: ThreadMemoryLimit
[25091] <- supportedLDAPPolicies: SystemMemoryLimitPercent
[25091] <- highestCommittedUSN: 26598
[25091] <- supportedSASLMechanisms: GSSAPI
[25091] <- supportedSASLMechanisms: GSS-SPNEGO
[25091] <- supportedSASLMechanisms: EXTERNAL
[25091] <- supportedSASLMechanisms: DIGEST-MD5
[25091] <- dnsHostName: chad1f00f7.one1f00f7.td1f00f7.com
[25091] <- ldapServiceName: td1f00f7.com:chad1f00f7$@ONE1F00F7.TD1F00F7.COM
[25091] <- serverName: CN=CHAD1F00F7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.800
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1670
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1791
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1935
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.2080
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.2237
[25091] <- isSynchronized: TRUE
[25091] <- isGlobalCatalogReady: TRUE
[25091] <- supportedExtension: 1.3.6.1.4.1.1466.20037
[25091] <- supportedExtension: 1.3.6.1.4.1.1466.101.119.1
[25091] <- supportedExtension: 1.2.840.113556.1.4.1781
[25091] <- supportedExtension: 1.3.6.1.4.1.4203.1.11.3
[25091] <- supportedExtension: 1.2.840.113556.1.4.2212
[25091] <- domainFunctionality: 4
[25091] <- forestFunctionality: 4
[25091] <- domainControllerFunctionality: 6
[25091] ldap response to request: basedn '', scope 0, filter '(objectclass=*)'
[25091] took: 2 ms
[25091]--------------------------------------------------
done
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testday)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23858
[25091] <- objectGUID: ��m��BA���Q����
[25091] <- objectSid: 
[25091] <- sAMAccountName: testday
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testday)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------


^C
===== slowest ldap request =====
base: ''
scope: 0
filter: '(objectclass=*)'
attrs: ["*", "altServer", "namingContexts", "supportedControl", "supportedExtension", "supportedFeatures", "supportedLDAPVersion", "supportedSASLMechanisms", "domainControllerFunctionality", "defaultNamingContext", "lastUSN", "highestCommittedUSN"]
took: 2 ms

##################################################################################################################################

Case 4: Execute ID command on AD sub-domain user.

Terminal 1 :
# id testdomuser1.com
uid=174601109(testdomuser1.com) gid=174601110(testday.com) groups=174601110(testday.com),174600513(domain users.com)


Terminal 2 :
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215803.0Z
[25091] <- uSNChanged: 26534
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 3 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-1110)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23858
[25091] <- objectGUID: ��m��BA���Q����
[25091] <- objectSid: 
[25091] <- sAMAccountName: testday
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-1110)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- memberOf: CN=Domain Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- uSNChanged: 23861
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(objectSID=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] -> attrs: ["tokenGroups"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] ldap response to request: basedn 'CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=Domain\20Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=Domain\20Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-513)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=Domain Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- member: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23860
[25091] <- objectGUID: ��a�
                           G�O�AT�0�S�
[25091] <- objectSid: 
[25091] <- sAMAccountName: Domain Users
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-513)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------


===== slowest ldap request =====
base: 'dc=one1f00f7,dc=td1f00f7,dc=com'
scope: 2
filter: '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
took: 3 ms


##################################################################################################################################

Case 5: Execute ID command on AD Domain user.

Terminal 1 :
# sss_cache -E ; id testuser1
uid=1351201115(testuser1) gid=1351200513(domain users) groups=1351200513(domain users)

Terminal 2 :
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testuser1,CN=Users,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200116174928.0Z
[25091] <- uSNChanged: 18489
[25091] <- name: testuser1
[25091] <- objectGUID: �氠;8I�bbpF��
[25091] <- userAccountControl: 66048
[25091] <- primaryGroupID: 513
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testuser1
[25091] <- userPrincipalName: testuser1
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 4 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(objectSID=S-1-5-21-943975968-3308337886-2710116759-513)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=Domain Users,CN=Users,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200116074155.0Z
[25091] <- uSNChanged: 12350
[25091] <- objectGUID: (
                        ��
x�D��_㐪c
[25091] <- objectSid: 
[25091] <- sAMAccountName: Domain Users
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(objectSID=S-1-5-21-943975968-3308337886-2710116759-513)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testuser1,CN=Users,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200116174928.0Z
[25091] <- uSNChanged: 18489
[25091] <- name: testuser1
[25091] <- objectGUID: �氠;8I�bbpF��
[25091] <- userAccountControl: 66048
[25091] <- primaryGroupID: 513
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testuser1
[25091] <- userPrincipalName: testuser1
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(sAMAccountName=testuser1)(objectclass=user)(objectSID=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'CN=testuser1,CN=Users,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] -> attrs: ["tokenGroups"]
[25091] <- dn: CN=testuser1,CN=Users,DC=td1f00f7,DC=com
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] ldap response to request: basedn 'CN=testuser1,CN=Users,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] took: 2 ms
[25091]--------------------------------------------------


^C
===== slowest ldap request =====
base: 'DC=td1f00f7,DC=com'
scope: 2
filter: '(&(sAMAccountName=testuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
took: 4 ms

##################################################################################################################################

Case 6: Fetch all the groups associated with AD sub-domain user.

Terminal 1:
# sss_cache -E ; groups testdomuser1.com
testdomuser1.com : testday.com domain users.com

Terminal 2:
# stap /usr/share/sssd/systemtap/ldap_perf.stp 
===== ldap queries probe started =====





[25091] -> ldap request: basedn '', scope 0, filter '(&(DnsDomain=td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] -> attrs: ["netlogon"]
[25091] <- dn: 
[25091] <- netlogon: 
[25091] ldap response to request: basedn '', scope 0, filter '(&(DnsDomain=td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn '', scope 0, filter '(objectclass=*)'
[25091] -> attrs: ["*", "altServer", "namingContexts", "supportedControl", "supportedExtension", "supportedFeatures", "supportedLDAPVersion", "supportedSASLMechanisms", "domainControllerFunctionality", "defaultNamingContext", "lastUSN", "highestCommittedUSN"]
[25091] <- dn: 
[25091] <- currentTime: 20200123133152.0Z
[25091] <- subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- dsServiceName: CN=NTDS Settings,CN=CHAD21F00F7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=ForestDnsZones,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=two1f00f7,DC=td1f00f7,DC=com
[25091] <- namingContexts: DC=DomainDnsZones,DC=two1f00f7,DC=td1f00f7,DC=com
[25091] <- defaultNamingContext: DC=two1f00f7,DC=td1f00f7,DC=com
[25091] <- schemaNamingContext: CN=Schema,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- configurationNamingContext: CN=Configuration,DC=td1f00f7,DC=com
[25091] <- rootDomainNamingContext: DC=td1f00f7,DC=com
[25091] <- supportedControl: 1.2.840.113556.1.4.319
[25091] <- supportedControl: 1.2.840.113556.1.4.801
[25091] <- supportedControl: 1.2.840.113556.1.4.473
[25091] <- supportedControl: 1.2.840.113556.1.4.528
[25091] <- supportedControl: 1.2.840.113556.1.4.417
[25091] <- supportedControl: 1.2.840.113556.1.4.619
[25091] <- supportedControl: 1.2.840.113556.1.4.841
[25091] <- supportedControl: 1.2.840.113556.1.4.529
[25091] <- supportedControl: 1.2.840.113556.1.4.805
[25091] <- supportedControl: 1.2.840.113556.1.4.521
[25091] <- supportedControl: 1.2.840.113556.1.4.970
[25091] <- supportedControl: 1.2.840.113556.1.4.1338
[25091] <- supportedControl: 1.2.840.113556.1.4.474
[25091] <- supportedControl: 1.2.840.113556.1.4.1339
[25091] <- supportedControl: 1.2.840.113556.1.4.1340
[25091] <- supportedControl: 1.2.840.113556.1.4.1413
[25091] <- supportedControl: 2.16.840.1.113730.3.4.9
[25091] <- supportedControl: 2.16.840.1.113730.3.4.10
[25091] <- supportedControl: 1.2.840.113556.1.4.1504
[25091] <- supportedControl: 1.2.840.113556.1.4.1852
[25091] <- supportedControl: 1.2.840.113556.1.4.802
[25091] <- supportedControl: 1.2.840.113556.1.4.1907
[25091] <- supportedControl: 1.2.840.113556.1.4.1948
[25091] <- supportedControl: 1.2.840.113556.1.4.1974
[25091] <- supportedControl: 1.2.840.113556.1.4.1341
[25091] <- supportedControl: 1.2.840.113556.1.4.2026
[25091] <- supportedControl: 1.2.840.113556.1.4.2064
[25091] <- supportedControl: 1.2.840.113556.1.4.2065
[25091] <- supportedControl: 1.2.840.113556.1.4.2066
[25091] <- supportedControl: 1.2.840.113556.1.4.2090
[25091] <- supportedControl: 1.2.840.113556.1.4.2205
[25091] <- supportedControl: 1.2.840.113556.1.4.2204
[25091] <- supportedControl: 1.2.840.113556.1.4.2206
[25091] <- supportedControl: 1.2.840.113556.1.4.2211
[25091] <- supportedControl: 1.2.840.113556.1.4.2239
[25091] <- supportedControl: 1.2.840.113556.1.4.2255
[25091] <- supportedControl: 1.2.840.113556.1.4.2256
[25091] <- supportedLDAPVersion: 3
[25091] <- supportedLDAPVersion: 2
[25091] <- supportedLDAPPolicies: MaxPoolThreads
[25091] <- supportedLDAPPolicies: MaxPercentDirSyncRequests
[25091] <- supportedLDAPPolicies: MaxDatagramRecv
[25091] <- supportedLDAPPolicies: MaxReceiveBuffer
[25091] <- supportedLDAPPolicies: InitRecvTimeout
[25091] <- supportedLDAPPolicies: MaxConnections
[25091] <- supportedLDAPPolicies: MaxConnIdleTime
[25091] <- supportedLDAPPolicies: MaxPageSize
[25091] <- supportedLDAPPolicies: MaxBatchReturnMessages
[25091] <- supportedLDAPPolicies: MaxQueryDuration
[25091] <- supportedLDAPPolicies: MaxTempTableSize
[25091] <- supportedLDAPPolicies: MaxResultSetSize
[25091] <- supportedLDAPPolicies: MinResultSets
[25091] <- supportedLDAPPolicies: MaxResultSetsPerConn
[25091] <- supportedLDAPPolicies: MaxNotificationPerConn
[25091] <- supportedLDAPPolicies: MaxValRange
[25091] <- supportedLDAPPolicies: MaxValRangeTransitive
[25091] <- supportedLDAPPolicies: ThreadMemoryLimit
[25091] <- supportedLDAPPolicies: SystemMemoryLimitPercent
[25091] <- highestCommittedUSN: 26745
[25091] <- supportedSASLMechanisms: GSSAPI
[25091] <- supportedSASLMechanisms: GSS-SPNEGO
[25091] <- supportedSASLMechanisms: EXTERNAL
[25091] <- supportedSASLMechanisms: DIGEST-MD5
[25091] <- dnsHostName: chad21f00f7.two1f00f7.td1f00f7.com
[25091] <- ldapServiceName: td1f00f7.com:chad21f00f7$@TWO1F00F7.TD1F00F7.COM
[25091] <- serverName: CN=CHAD21F00F7,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=td1f00f7,DC=com
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.800
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1670
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1791
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.1935
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.2080
[25091] <- supportedCapabilities: 1.2.840.113556.1.4.2237
[25091] <- isSynchronized: TRUE
[25091] <- isGlobalCatalogReady: TRUE
[25091] <- supportedExtension: 1.3.6.1.4.1.1466.20037
[25091] <- supportedExtension: 1.3.6.1.4.1.1466.101.119.1
[25091] <- supportedExtension: 1.2.840.113556.1.4.1781
[25091] <- supportedExtension: 1.3.6.1.4.1.4203.1.11.3
[25091] <- supportedExtension: 1.2.840.113556.1.4.2212
[25091] <- domainFunctionality: 4
[25091] <- forestFunctionality: 4
[25091] <- domainControllerFunctionality: 6
[25091] ldap response to request: basedn '', scope 0, filter '(objectclass=*)'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn '', scope 0, filter '(&(DnsDomain=td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] -> attrs: ["netlogon"]
[25091] <- dn: 
[25091] <- netlogon: 
[25091] ldap response to request: basedn '', scope 0, filter '(&(DnsDomain=td1f00f7.com)(NtVer=\14\00\00\00))'
[25091] took: 1 ms
[25091]--------------------------------------------------
done
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215800.0Z
[25091] <- uSNChanged: 23991
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(sAMAccountName=*)(objectSID=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-1110)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23858
[25091] <- objectGUID: ��m��BA���Q����
[25091] <- objectSid: 
[25091] <- sAMAccountName: testday
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-1110)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(objectSID=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "unixUserPassword", "uidNumber", "gidNumber", "gecos", "unixHomeDirectory", "loginShell", "userPrincipalName", "name", "memberOf", "objectGUID", "objectSID", "primaryGroupID", "whenChanged", "uSNChanged", "accountExpires", "userAccountControl", "userCertificate;binary", "mail"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- memberOf: CN=Domain Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- uSNChanged: 23861
[25091] <- name: testdomuser1
[25091] <- objectGUID: i}
                         �^�-F�������'
[25091] <- userAccountControl: 512
[25091] <- primaryGroupID: 1110
[25091] <- objectSid: 
[25091] <- accountExpires: 9223372036854775807
[25091] <- sAMAccountName: testdomuser1
[25091] <- userPrincipalName: testdomuser1.com
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(sAMAccountName=testdomuser1)(objectclass=user)(objectSID=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] -> attrs: ["tokenGroups"]
[25091] <- dn: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] <- tokenGroups: 
[25091] ldap response to request: basedn 'CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com', scope 0, filter '<no filter>'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 15 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=testday,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=Domain\20Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] ldap response to request: basedn 'DC=td1f00f7,DC=com', scope 2, filter '(&(member=CN=Domain\20Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com)(objectClass=group)(sAMAccountName=*))'
[25091] took: 1 ms
[25091]--------------------------------------------------
[25091] -> ldap request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-513)(objectClass=group)(sAMAccountName=*))'
[25091] -> attrs: ["objectClass", "sAMAccountName", "gidNumber", "member", "objectGUID", "objectSID", "whenChanged", "uSNChanged", "groupType"]
[25091] <- dn: CN=Domain Users,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- member: CN=testdomuser1,CN=Users,DC=one1f00f7,DC=td1f00f7,DC=com
[25091] <- whenChanged: 20200121215745.0Z
[25091] <- uSNChanged: 23860
[25091] <- objectGUID: ��a�
                           G�O�AT�0�S�
[25091] <- objectSid: 
[25091] <- sAMAccountName: Domain Users
[25091] <- groupType: -2147483646
[25091] ldap response to request: basedn 'dc=one1f00f7,dc=td1f00f7,dc=com', scope 2, filter '(&(objectSID=S-1-5-21-2952548673-3887585435-3159348047-513)(objectClass=group)(sAMAccountName=*))'
[25091] took: 2 ms
[25091]--------------------------------------------------

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863