On Wed, Sep 18, 2013 at 10:39:42AM +0200, Jean-Baptiste Denis wrote:
Hello everybody,
I've got an sssd configuration with two ldap domains. The nss part of
the configuration is this one :
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
override_shell = /bin/bash
entry_negative_timeout = 15
debug_level = 0x02F0
I've got a program that crawl a filesystem. For some reason, a bunch of
files have an uid which do not "resolve" to anything. My ldap backend
are hammered with requests like this one :
slapd[31421]: conn=361745 op=1712 SRCH base="ou=users,dc=example,dc=com"
scope=2 deref=0 filter="(&(uidNumber=1047)(objectClass=posixAccount))
In /var/log/sssd/sssd_nss.log, it correspond to a lot of :
....
[sssd[nss]] [nss_cmd_getpwuid_search] (0x0040): No matching domain found
for [1047], fail!
...
I thought that the "entry_negative_timeout" in the nss part of the
configuration would prevent this kind of behaviour, but I obviously
didn't guess right.
Any advice ?
Jean-Baptiste
Hi Jean-Baptiste,
From the snippets you sent it indeed seems the UID is searched for.
But
after one such search, the entry should be cached in the negative cache
and no requests towards the backend should be issued. Is it not the
case?
btw for your case you might want to either increase the negative timeout
a bit or, if the list of unresolvable UIDs is not long, filter them out
directly:
filter_users = root, 1047
filter_users can be used in both the nss section and the domain section.