Hi Jean-Baptiste,
Hi Jakub,
From the snippets you sent it indeed seems the UID is searched for.
But
after one such search, the entry should be cached in the negative cache
and no requests towards the backend should be issued. Is it not the
case?
From my point of view it is not. Here is a simple version of what
I'm
observing (I can reproduce it) :
From the client :
client $ getent passwd 1047
From the client, in another terminal :
client $ tail -f /var/log/sssd/sssd_nss.log
(Wed Sep 18 13:20:35 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Sep 18 13:20:35 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Sep 18 13:20:35 2013) [sssd[nss]] [nss_cmd_getpwuid_search]
(0x0040): No matching domain found for [1047], fail!
(Wed Sep 18 13:20:35 2013) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
On the ldap server (one line per sssd domain) :
ldapserver $ tail -f /var/log/openldap/slapd.log|grep
"uidNumber=1047"|grep 1047
Sep 18 13:22:00 pantero slapd[31421]: conn=387670 op=5 SRCH
base="ou=users,dc=example,dc=com" scope=2 deref=0
filter="(&(uidNumber=1047)(objectClass=posixAccount))"
Sep 18 13:22:00 pantero slapd[31421]: conn=387671 op=5 SRCH
base="ou=users,dc=example,dc=com" scope=2 deref=0
filter="(&(uidNumber=1047)(objectClass=posixAccount))"
Each time I issue a "getent passwd 1047" I've got those entries in the log.
btw for your case you might want to either increase the negative
timeout
a bit or,
Indeed. I just wanted to be explicit in the configuration to be sure of
what I was testing
if the list of unresolvable UIDs is not long, filter them out
directly:
filter_users = root, 1047
Unfortunately, I don't know them in advance.
Some precision : CentOS 6.4 with sssd 1.9.2.
Here is my sssd.conf :
[sssd]
config_file_version = 2
services = nss, pam
domains = home, ldap_home
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
override_shell = /bin/bash
entry_negative_timeout = 15
debug_level = 0x02F0
[pam]
[domain/home]
override_homedir = /home/%u
# comma separated list of users you want to honor their ldap
homeDirectory (fallback to ldap_home)
# filter_users = test
ldap_tls_reqcert = demand
auth_provider = ldap
ldap_schema = rfc2307
ldap_search_base = ou=users,dc=example,dc=com
ldap_group_search_base = ou=groups,dc=example,dc=com
id_provider = ldap
ldap_id_use_start_tls = True
# We do not authorize password change
chpass_provider = none
ldap_uri =
ldap://ldap.example.com/
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_network_timeout = 3
# getent passwd will only list /etc/passwd, but id or getent passwd
login will query ldap
#enumerate = True
ldap_page_size = 500
debug_level = 0x02F0
# exactly the same as domain/home, without the override_homedir
# and the filter_users directive
[domain/ldap_home]
ldap_tls_reqcert = demand
auth_provider = ldap
ldap_schema = rfc2307
ldap_search_base = ou=users,dc=example,dc=com
ldap_group_search_base = ou=groups,dc=example,dc=com
id_provider = ldap
ldap_id_use_start_tls = True
# We do not authorize password change
chpass_provider = none
ldap_uri =
ldap://ldap.example.com/
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_network_timeout = 3
# getent passwd will only list /etc/passwd, but id or getent passwd
login will query ldap
#enumerate = True
ldap_page_size = 500
debug_level = 0x02F0