sssd performance on large domains
by zfnoctis@gmail.com
Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.
1 year, 10 months
Enumerate users from external group from AD trust
by Bolke de Bruin
Hello,
I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain.
One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using
“getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to
add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
[root@master centos]# id bolke(a)ad.local
UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local)
[root@master centos]# getent group ad_users
ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local>
If I clear the cache (sss_cache -E) the entry is gone again:
[root@master centos]# getent group ad_users
ad_users:*:1950000004:
My question is how do I get sssd to enumerate *all users* in a group consistently?
Thanks!
Bolke
* https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...
4 years
SSSD for one-way trusted AD domain
by Ondrej Valousek
Hi List,
Question, we have joined machine into AD domain B. This domain has one way trust to domain A. No direct connection from domain B network to DCs in domain A is possible.
Can we use SSSD to authenticate members in domain A.
In windows, this works - but can't get it working in Linux via SSSD (Fedora 25, used realmd for AD join).
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
5 years, 6 months
Does anyone use id_provider=local ?
by Jakub Hrozek
Hi,
are there any SSSD users who actively use a configuration with:
id_provider=local ?
If so, what is your use-case?
We're considering deprecating and eventually removing this provider
upstream. The replacemant for id_provider=local would be id_provider=files:
https://fedorahosted.org/sssd/wiki/DesignDocs/FilesProvider
which is already under review and later extension of the SSSD's D-Bus
interface to allow manipulating custom user attributes.
My current plan for deprecating the local provider is to only build the
provider and the tools around it if a configure-time flag is provided.
This flag would be disabled by default. Then, if noone complains,
eventually just remove the code.
6 years, 1 month
sssd-ad on centos 7
by William Edsall
Hello list,
I've configured sssd on Centos 7 with the very basics. I'm able to id my
own user account, which was used to join the domain (via realm), but unable
to id any other account.
Does anything make sense about this? I should mention this is a very large
(50,000+) corporate AD.
Thanks
William
6 years, 2 months
Cannot log in via ssh due to sssd_pam system_error
by Avi Kivity
Plain centos 7 box, sssd-1.14.0-43.el7_3.18.x86_64
Log says:
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000):
Checking negative cache for
[NCE/USER/cloudius-systems.com/avi@cloudius-systems.com]
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400):
Issuing request for
[0x7fd4f5f68030:3:avi@cloudius-systems.com@cloudius-systems.com]
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sss_dp_get_account_msg]
(0x0400): Creating request for
[cloudius-systems.com][0x3][BE_REQ_INITGROUPS][1][name=avi@cloudius-systems.com:-]
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sbus_add_timeout] (0x2000):
0x7fd4f7030710
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sss_dp_internal_get_send]
(0x0400): Entering request
[0x7fd4f5f68030:3:avi@cloudius-systems.com@cloudius-systems.com]
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000):
0x7fd4f7030710
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [avi(a)cloudius-systems.com]
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_check_user_search] (0x0400):
Returning info for user [avi@cloudius-systems.com(a)cloudius-systems.com]
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pd_set_primary_name] (0x0400):
User's primary name is avi(a)cloudius-systems.com
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_initgr_cache_set] (0x2000):
[avi] added to PAM initgroup cache
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending request with the following data:
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100):
domain: cloudius-systems.com
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100): user:
avi(a)cloudius-systems.com
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100):
service: sshd
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost:
77.138.249.123
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 3991
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_print_data] (0x0100): logon
name: avi
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sbus_add_timeout] (0x2000):
0x7fd4f702de30
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Wed Aug 30 06:59:11 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
Deleting request:
[0x7fd4f5f68030:3:avi@cloudius-systems.com@cloudius-systems.com]
(Wed Aug 30 06:59:13 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000):
0x7fd4f702de30
(Wed Aug 30 06:59:13 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200):
received: [4 (System error)][cloudius-systems.com]
(Wed Aug 30 06:59:13 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [4]: System error.
(Wed Aug 30 06:59:13 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 37
(Wed Aug 30 06:59:13 2017) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!
Any idea what went wrong?
6 years, 2 months
SSSD Group ID Mismatch
by Mukund
Hi
I am trying to configure SSSD in all the datanodes and namenodes on a HDP
cluster. Following is my config.
The local group id and LDAP group id created by SSSD are conflicting
because of which certain functionalities are not working as desired.
I have configured as follows: and getting the error given below the config:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
reconnection_retries = 3
debug_level = 4
[nss]
filter_users = root,centos,ec2-user
filter_groups = root
reconnection_retries = 3
debug_level = 4
[pam]
reconnection_retries = 3
[domain/LDAP1]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = <uri>
ldap_default_bind_dn = cn=admin,dc=gtm,dc=juniper,dc=net
ldap_default_authtok = <pwd>
ldap_default_authtok_type = password
ldap_search_base = dc=gtm,dc=juniper,dc=net
ldap_user_search_base = ou=users,dc=gtm,dc=juniper,dc=net
ldap_group_search_base = ou=groups,dc=gtm,dc=juniper,dc=net
ldap_user_object_class = posixAccount
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_id_use_start_tls = false
debug_level = 7
override_shell = /bin/bash
cache_credentials = true
min_id = 5000
max_id = 25000
enumerate = false
*Error*
(Tue Aug 29 14:24:12 2017) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): User
[ambari-qa] filtered out! (uid out of range)
(Tue Aug 29 14:24:12 2017) [sssd[be[LDAP]]] [sdap_save_user] (0x0020):
Failed to save user [ambari-qa]
is there a way to overcome this error. Any way to have the uid in range?
Any help is greatly appreciated.
Regards
Mukund
6 years, 3 months
Sssd group id mismatch
by Mukund Agilisium
Hi
I am trying to configure SSSD in all the datanodes and namenodes on a HDP
cluster. Following is my config.
The local group id and LDAP group id created by SSSD are conflicting
because of which certain functionalities are not working as desired.
I have configured as follows: and getting the error given below the config:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
reconnection_retries = 3
debug_level = 4
[nss]
filter_users = root,centos,ec2-user
filter_groups = root
reconnection_retries = 3
debug_level = 4
[pam]
reconnection_retries = 3
[domain/LDAP1]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = <uri>
ldap_default_bind_dn = cn=admin,dc=gtm,dc=juniper,dc=net
ldap_default_authtok = <pwd>
ldap_default_authtok_type = password
ldap_search_base = dc=gtm,dc=juniper,dc=net
ldap_user_search_base = ou=users,dc=gtm,dc=juniper,dc=net
ldap_group_search_base = ou=groups,dc=gtm,dc=juniper,dc=net
ldap_user_object_class = posixAccount
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_id_use_start_tls = false
debug_level = 7
override_shell = /bin/bash
cache_credentials = true
min_id = 5000
max_id = 25000
enumerate = false
*Error*
(Tue Aug 29 14:24:12 2017) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): User
[ambari-qa] filtered out! (uid out of range)
(Tue Aug 29 14:24:12 2017) [sssd[be[LDAP]]] [sdap_save_user] (0x0020):
Failed to save user [ambari-qa]
is there a way to overcome this error. Any way to have the uid in range?
Any help is greatly appreciated.
Regards
Mukund
6 years, 3 months
How often does ldap cache clear?
by Lachlan Musicman
We use FreeIPA/SSSD to authenticate our RStudio Server, which we control
via HBAC membership of an AD group.
Our users are having their sessions ended frequently - once a day or more -
with the logged message
17 Aug 2017 05:16:21 [rserver] WARNING User <user>@<domain> could not be
authenticated because they do not belong to one of the required groups
(rstudio); LOGGED FROM: bool rstudio::server::auth::validateUser(const
std::string&, const std::string&, unsigned int, bool)
/root/rstudio-pro/src/cpp/server/auth/ServerValidateUser.cpp:103
Most likely this is partially because RStudio server is overly aggressive,
but I am also noticing that their log is telling the truth:
id <user>@<domain>
is not returning the full membership set of the user - in particular the
user group overrides are not being registered. IE, I can see that <user> is
in the appropriate AD group, but the IPA group that overrides it isn't
being reported.
And hence the user is getting booted.
So, two questions:
1. Why is the group override not working and how can I get it working or
change our set up so that it does work
2. If this is because users's are being timed out of the sss db cache
(/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh to a
much much longer period?
cheers
L.
------
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "
*Greg Bloom* @greggish
https://twitter.com/greggish/status/873177525903609857
6 years, 3 months
Re: SSSD user mailing list: Unable to login to my kerberos realm
by Louis Garcia
On Fri, Aug 18, 2017 at 11:58 AM, Louis Garcia <louisgtwo(a)gmail.com> wrote:
> On Fri, Aug 18, 2017 at 4:08 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>
>> On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote:
>> > On (17/08/17 12:38), Louis Garcia wrote:
>> > >Sorry to mail you directly but I think the sssd user mailing list is
>> not
>> > >accepting my emails. I replied twice to this thread yesterday and both
>> > >bounced.
>> > >
>> >
>>
>> > I have no idea why you have problems to send a mails there.
>>
>> Sorry, this is partially my fault. I should be watching the moderation
>> queue, but lately we've been getting so much spam (sometimes one spam
>> attempt per hour) that I overlooked your e-mail.
>>
>> You can subscribe to the list and then your messages will go right to
>> the list w/o the moderation queue!
>>
>
> sssd-users-request(a)lists.fedorahosted.org
> Aug 15 (3 days ago)
>
>
> to me
> Welcome to the "sssd-users" mailing list!
>
I subscribed here:
https://lists.fedorahosted.org/admin/lists/sssd-users.lists.fedorahosted....
and I receive all emails from the list but I don't have a user account.
How do I properly subscribe?
6 years, 3 months
