RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1795127 - SSSD fails to perform offline authentication
Summary: SSSD fails to perform offline authentication
Keywords:
Status: CLOSED DUPLICATE of bug 1803134
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Sumit Bose
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-27 08:05 UTC by Simo Sorce
Modified: 2020-11-03 21:02 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-22 09:49:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd pull 1005 0 None closed pam: Use cache for users with existing session 2020-10-22 09:47:45 UTC

Description Simo Sorce 2020-01-27 08:05:21 UTC 
Description of problem:
When in very low bandwidth situation or completely offline, SSSD timeouts and does not permit authentication at all.
At the console login the pam conversation timeouts before the user can be resolved.

Version-Release number of selected component (if applicable):
Started happening in 8.1 afaik

How reproducible:
When offline.

Steps to Reproduce:
1. Insall SSSD joined to IPA in a VM and log in once.
2. Set tc to emulate very slow speed or disconnect the network from the laptop (so that the VM sees a network interface but packets go nowhere).
3. Try to login at the console

Actual results:
Authentication times out

Expected results:
Access is granted immediately

Additional info:
Comment 1 Sumit Bose 2020-01-27 08:30:17 UTC 
Hi Simo,

this might be related to https://pagure.io/SSSD/sssd/issue/4114, can you try SSSD from 8.2 or do you prefer a test build for 8.1?

bye,
Sumit
Comment 2 Simo Sorce 2020-01-29 16:45:32 UTC 
As long as it installs on 8.1 either wors.
You can also point me at a dist-git tree, then I can build my own packages wth the patches I have to remove the login delay that I have produced a hile back and are on pagure upstream.
Comment 6 Simo Sorce 2020-02-11 15:58:12 UTC 
Hi Sumit,
I tested with the patches you mentioned.

Now my sssd behaves much better on the slow link (with my additional patches for logged in user speedup), so I believe the patches you gave me already improve the situation. I would go as far as saying they can probably fix this bug too, however I haven't tested yet fully offline logins as I am in meetings all day.

Sounds quite promising though.
Comment 7 Sumit Bose 2020-02-11 17:12:49 UTC 
Hi Simo,

thanks for the feedback. I will keep this ticket open. Since the patches are already included in the RHEL-8.2 build feel free to close this ticket when your tests are successful.

bye,
Sumit
Comment 8 Simo Sorce 2020-02-12 17:14:41 UTC 
I have to reract my optimism.
Today I tested an offline situation, I disabled my network cards on the laptop and tried to log in in the VM that is join to IPA.REDHAT.COM using SSSD. The lockscreen prompt never allowed me to set a password, SSSD seem to be stuck trying to resolve my user for some reason.
As soon as I reconnected my ethernet on the laptop the lock screen login prompt unlocked and allowe dme to enter a password.

Also for my other problem it seem the first enthusiasm was a fluke do to short term caching, later on I kept having to wait for some online resolution before a prompt was given.

So it seem the patches were not really useful after all. There must be something in recent SSSD that insists on trying to do something online even when clearly there is no access to the remote server (note that this doesn't mean there is no network, just that there are no routes to reach the server).
Comment 9 Sumit Bose 2020-02-13 07:48:22 UTC 
Hi,

I'm running a similar setup with recent SSSD which is offline in the sense that the servers cannot be reached quite often and do not see such delays. Please attach SSSD logs with debug_level=9 or send them to me directly.

bye,
Sumit
Comment 10 Sumit Bose 2020-02-13 08:23:43 UTC 
Hi,

are you using a KDC proxy setup?

bye,
Sumit
Comment 11 Simo Sorce 2020-02-17 20:38:11 UTC 
No I am using IPA.REDHAT.COM over the VPN.
I also do not see delays right after I boot the machine (and VPN has not been brought up yet).
I generally get stuck when the machine is (or believes to be) on the VPN but the actual underlying network is either very slow or actually gone, but the physical link is still up.
Comment 12 Simo Sorce 2020-02-17 20:55:54 UTC 
Created attachment 1663588 [details]
level 9 logs

This log was obtain his way:
- sudo -i in the VM
- raise debug_level = 9 in [sssd], [nss], [psm], and the domain section
- restart sssd
- turn off ethernet in the outer host
- lock screen in VM
- back to VM wait at GDM prompt to reauthenticate until GDM, instead, times out never allowing the prompt to ask for a password to be editable
- turn ethernet back on in the outer host
- observe how GDM prompt finally becomes editable requesting a password
- log in
- turn off high level debugging

HTH
Comment 13 Sumit Bose 2020-09-15 12:39:22 UTC 
Hi Simo,

I'm sorry for the delay, I thought I already pinged you on some other channel.

The logs and the delay make sense because you increased the defaults of ldap_search_timeout, ldap_search_timeout and ldap_opt_timeout from 6, 6, 8 to 15, 15, 15.

Btw, you session detection patches were committed with https://github.com/SSSD/sssd/pull/1005 after fixing some cache_req behavior. They are available in sssd-2.3.0 and hence available in F31 and newer and in the next RHEL-8 release.

bye,
Sumit
Note You need to log in before you can comment on or make changes to this bug.