Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): sssd-1.5.1-24.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure SSSD for multiple domain. (see additional info for sssd.conf) 2. Try to authenticate as a user from domain2. 3. Observe the time for successful authentication. Actual results: Takes approx. 30 seconds. Replace "domains = domain1,domain2" to "domains = domain2,domain1" and try authentication. Now it takes ~9 seconds. Expected results: Login time should not increase strongly. Additional info: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = domain1,domain2 debug_level = 9 [nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9 [pam] reconnection_retries = 3 debug_level = 9 [domain/domain1] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://sssdldap.redhat.com:636 ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc cache_credentials = true enumerate = false debug_level = 9 [domain/domain2] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://shanksldap.redhat.com:636 ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/shanks/cacert.asc cache_credentials = true enumerate = false debug_level = 9 min_id = 59990 max_id = 59999
Upstream ticket https://fedorahosted.org/sssd/ticket/843
Tested with: sssd-1.15.2-37.el7.x86_64 Steps followed during verification: 1) Configure SSSd for Multiple domain. [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = domain1,domain2 debug_level = 9 [nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9 [pam] reconnection_retries = 3 debug_level = 9 [domain/domain1] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://firstserver.example.com:636 ldap_search_base = dc=redhat,dc=org ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_cacert = /etc/openldap/certs/cacert1.pem cache_credentials = true enumerate = false debug_level = 9 [domain/domain2] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://secondserver.example.com:636 ldap_search_base = dc=redhat,dc=org ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_cacert = /etc/openldap/certs/cacert2.pem cache_credentials = true enumerate = false debug_level = 9 2) Add user in both domain. test_first added in domain1 test_scond added in domain2 3) Check the user lookup. # id test_first@domain1 uid=10022(test_first) gid=10022 groups=10022 # id test_second@domain2 uid=10025(test_second) gid=10025 groups=10025 4) Check time for successful login. i) when domain = domain1, domain2 in sssd.conf # cat /etc/sssd/sssd.conf | grep domain domains = domain1,domain2 # time ./login_time.sh test_first@domain1 Secret123 spawn ssh -q -l test_first@domain1 localhost echo 'login successful' test_first@domain1@localhost's password: /usr/bin/id: cannot find name for group ID 10022 login successful real 0m0.538s user 0m0.001s sys 0m0.006s # time ./login_time.sh test_second@domain2 Secret123 spawn ssh -q -l test_second@domain2 localhost echo 'login successful' test_second@domain2@localhost's password: /usr/bin/id: cannot find name for group ID 10025 login successful real 0m0.560s user 0m0.002s sys 0m0.008s 5) Clear sssd cache and start the sssd again # service sssd stop; rm -rf /var/lib/sss/db/*; rm -rf /var/log/sssd/*; service sssd start 6) when domain = domain2, domain1 in sssd.conf # cat /etc/sssd/sssd.conf | grep domain domains = domain2,domain1 # time ./login_time.sh test_first@domain1 Secret123 spawn ssh -q -l test_first@domain1 localhost echo 'login successful' test_first@domain1@localhost's password: /usr/bin/id: cannot find name for group ID 10022 login successful real 0m0.588s user 0m0.003s sys 0m0.005s # time ./login_time.sh test_second@domain2 Secret123 spawn ssh -q -l test_second@domain2 localhost echo 'login successful' test_second@domain2@localhost's password: /usr/bin/id: cannot find name for group ID 10025 login successful real 0m0.524s user 0m0.002s sys 0m0.008s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294