Hide Forgot
Description of problem: I noticed when I run sssd in debug mode that it is constantly trying to check one of my local users in domain. Every few seconds I get this entries: sssd -i -d 9 (Tue May 31 09:53:04 2011) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (Tue May 31 09:53:04 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/DOMAINNAME/locallinuxuser] (Tue May 31 09:53:04 2011) [sssd[nss]] [nss_cmd_initgroups_search] (4): Requesting info for [locallinuxuser@DOMAINNAME] (Tue May 31 09:53:04 2011) [sssd[nss]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x13f1500 (Tue May 31 09:53:04 2011) [sssd[nss]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x13f0e50 (Tue May 31 09:53:04 2011) [sssd[nss]] [ldb] (9): tevent: Destroying timer event 0x13f0e50 "ltdb_timeout" (Tue May 31 09:53:04 2011) [sssd[nss]] [ldb] (9): tevent: Ending timer event 0x13f1500 "ltdb_callback" (Tue May 31 09:53:04 2011) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/DOMAINNAME/locallinuxuser] to negative cache (Tue May 31 09:53:04 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): No results for initgroups call (Tue May 31 09:53:04 2011) [sssd[nss]] [client_recv] (5): Client disconnected! (Tue May 31 09:53:09 2011) [sssd] [service_check_alive] (4): Checking service DOMAINNAME(18349) is still alive (Tue May 31 09:53:09 2011) [sssd] [service_send_ping] (4): Pinging DOMAINNAME (Tue May 31 09:53:09 2011) [sssd] [sbus_add_timeout] (8): 0x1453e30 (Tue May 31 09:53:09 2011) [sssd] [service_check_alive] (4): Checking service nss(18350) is still alive (Tue May 31 09:53:09 2011) [sssd] [service_send_ping] (4): Pinging nss (Tue May 31 09:53:09 2011) [sssd] [sbus_add_timeout] (8): 0x14543a0 (Tue May 31 09:53:09 2011) [sssd] [service_check_alive] (4): Checking service pam(18351) is still alive (Tue May 31 09:53:09 2011) [sssd] [service_send_ping] (4): Pinging pam (Tue May 31 09:53:09 2011) [sssd] [sbus_add_timeout] (8): 0x1451670 (Tue May 31 09:53:09 2011) [sssd[be[DOMAINNAME]]] [sbus_dispatch] (9): dbus conn: 1A87DC0 (Tue May 31 09:53:09 2011) [sssd[be[DOMAINNAME]]] [sbus_dispatch] (9): Dispatching. (Tue May 31 09:53:09 2011) [sssd[be[DOMAINNAME]]] [sbus_message_handler] (9): Received SBUS method [ping] (Tue May 31 09:53:09 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 13F1860 (Tue May 31 09:53:09 2011) [sssd[nss]] [sbus_dispatch] (9): Dispatching. (Tue May 31 09:53:09 2011) [sssd[nss]] [sbus_message_handler] (9): Received SBUS method [ping] (Tue May 31 09:53:09 2011) [sssd[pam]] [sbus_dispatch] (9): dbus conn: 1D75D80 (Tue May 31 09:53:09 2011) [sssd[pam]] [sbus_dispatch] (9): Dispatching. (Tue May 31 09:53:09 2011) [sssd[pam]] [sbus_message_handler] (9): Received SBUS method [ping] (Tue May 31 09:53:09 2011) [sssd] [sbus_remove_timeout] (8): 0x1453e30 (Tue May 31 09:53:09 2011) [sssd] [sbus_dispatch] (9): dbus conn: 1452EA0 (Tue May 31 09:53:09 2011) [sssd] [sbus_dispatch] (9): Dispatching. (Tue May 31 09:53:09 2011) [sssd] [ping_check] (4): Service DOMAINNAME replied to ping (Tue May 31 09:53:09 2011) [sssd] [sbus_remove_timeout] (8): 0x14543a0 (Tue May 31 09:53:09 2011) [sssd] [sbus_dispatch] (9): dbus conn: 1454740 (Tue May 31 09:53:09 2011) [sssd] [sbus_dispatch] (9): Dispatching. (Tue May 31 09:53:09 2011) [sssd] [ping_check] (4): Service nss replied to ping (Tue May 31 09:53:09 2011) [sssd] [sbus_remove_timeout] (8): 0x1451670 (Tue May 31 09:53:09 2011) [sssd] [sbus_dispatch] (9): dbus conn: 14544D0 (Tue May 31 09:53:09 2011) [sssd] [sbus_dispatch] (9): Dispatching. (Tue May 31 09:53:09 2011) [sssd] [ping_check] (4): Service pam replied to ping (Tue May 31 09:53:14 2011) [sssd[nss]] [get_client_cred] (9): Client creds: euid[0] egid[0] pid[19878]. (Tue May 31 09:53:14 2011) [sssd[nss]] [accept_fd_handler] (4): Client connected! (Tue May 31 09:53:14 2011) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1]. (Tue May 31 09:53:14 2011) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1]. (Tue May 31 09:53:14 2011) [sssd[nss]] [nss_cmd_initgroups] (4): Requesting info for [locallinuxuser] from [<ALL>] (Tue May 31 09:53:14 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/DOMAINNAME/locallinuxuser] (Tue May 31 09:53:14 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): User [DOMAINNAME] does not exist in [locallinuxuser]! (negative cache) (Tue May 31 09:53:14 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): No matching domain found for [locallinuxuser], fail! (Tue May 31 09:53:14 2011) [sssd[nss]] [client_recv] (5): Client disconnected! First of this is strange entry: (Tue May 31 09:53:14 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): User [DOMAINNAME] does not exist in [locallinuxuser]! (negative cache) shouldn't it be?: (Tue May 31 09:53:14 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): User [locallinuxuser] does not exist in [DOMAINNAME]! (negative cache) Why sssd is trying to authenticate user on domain even if this is a local user? I used minimum_uid on pam_krb5.so in the previous configuration but now I do not use this module since as I understand it is not needed and pam_sss.so doesn't have similar option. I setup min_id = 1000 in sssd.conf but seems not to be working. Version-Release number of selected component (if applicable): sssd-client-1.5.1-34.el6.x86_64 sssd-1.5.1-34.el6.x86_64 krb5-libs-1.9-9.el6.x86_64 How reproducible: setup local account with useradd run sssd in interactive debug mode Additional info: [root@localhost ~]# cat /etc/passwd |grep locallinuxuser locallinuxuser:x:500:101::/home/locallinuxuser:/bin/bash sssd.conf [domain/DOMAINNAME] description = Domain enumerate = true min_id = 1000 #debug_level = 9 id_provider = ldap #auth_provider = ldap auth_provider = krb5 ldap_uri = ldap://activedirectoryserver1.example.com,ldap://activedirectoryserver2.example.com ldap_schema = rfc2307bis ldap_user_search_base = DC=example,DC=com ldap_group_search_base = DC=example,DC=com ldap_default_bind_dn = CN=binduser,OU=Users,DC=example,DC=com ldap_default_authtok_type = password ldap_default_authtok = PASSWORD ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos = cn ldap_group_object_class = group ldap_group_name = name ldap_group_member = member ldap_group_gid_number = gidNumber ldap_force_upper_case_realm = True #krb5 krb5_server = 192.168.0.2 krb5_realm = EXAMPLE.COM krb5_validate = true krb5_keytab = /etc/krb5.keytab krb5_store_password_if_offline = true cache_credentials = true
This is not a bug in SSSD. The design of initgroups() in glibc requires that ALL name-service plugins are checked whenever initgroups() is requested of any user. Unlike the getpwuid/getpwnam() routines, which stops after the first time it encounters the requested user, initgroups() will always search through all of them. If this is causing undue stress on your LDAP server, you can add the filter_users = locallinuxuser And it will be permanently stored in the negative cache.
Hi, Thanks for your response. I added localinuxuser to sssd.conf (filter_users = root,locallinuxuser). Stopped sssd then removed everything from /var/lib/sss/db folder just in case. Started again and I still get: (Tue May 31 14:14:47 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/DOMAINNAME/localinuxuser] (Tue May 31 14:14:47 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): User [DOMAINNAME] does not exist in [localinuxuser]! (negative cache) Also this is strange: User [DOMAINNAME] does not exist in [localinuxuser] Part of sssd -i -d 9 output: (Tue May 31 14:14:47 2011) [sssd[nss]] [get_client_cred] (9): Client creds: euid[0] egid[0] pid[16717]. (Tue May 31 14:14:47 2011) [sssd[nss]] [accept_fd_handler] (4): Client connected! (Tue May 31 14:14:47 2011) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1]. (Tue May 31 14:14:47 2011) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1]. (Tue May 31 14:14:47 2011) [sssd[nss]] [nss_cmd_initgroups] (4): Requesting info for [localinuxuser] from [<ALL>] (Tue May 31 14:14:47 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/DOMAINNAME/localinuxuser] (Tue May 31 14:14:47 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): User [DOMAINNAME] does not exist in [localinuxuser]! (negative cache) (Tue May 31 14:14:47 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): No matching domain found for [localinuxuser], fail! (Tue May 31 14:14:47 2011) [sssd[nss]] [client_recv] (5): Client disconnected!
(In reply to comment #3) > Hi, > > Thanks for your response. I added localinuxuser to sssd.conf (filter_users = > root,locallinuxuser). > Stopped sssd then removed everything from /var/lib/sss/db folder just in case. > Started again and I still get: > (Tue May 31 14:14:47 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking > negative cache for [NCE/USER/DOMAINNAME/localinuxuser] > > (Tue May 31 14:14:47 2011) [sssd[nss]] [nss_cmd_initgroups_search] (2): User > [DOMAINNAME] does not exist in [localinuxuser]! (negative cache) > Yes, this is expected. We still get the request, this is just the notification that it's been detected in the negative cache, which means that it won't continue on to LDAP (it gets rejected locally). This is the best that we can do, given the way that glibc functions. > Also this is strange: > User [DOMAINNAME] does not exist in [localinuxuser] > Whoops, that's a bug in the log message. It's harmless, though. We just reversed the two variables being printed. The processing is occurring properly.
I opened https://bugzilla.redhat.com/show_bug.cgi?id=709342 to fix the typo.
Thanks for your help