Hi,
We have setup FreeIPA (VERSION: 4.1.2, API_VERSION: 2.109) in our realm (IPA.DOMAIN1.COM), with trust to an AD forest (DOMAIN2.NET, which itself has trust to AD.DOMAIN2.NET, where the corporate users are). Everything works fine when using Kerberos, we can obtain tickets from AD.DOMAIN2.NET and authenticate to services in IPA.DOMAIN1.COM. We can also do "getent passwd user@ad.domain2.net" on a host enrolled in FreeIPA and quickly get a result.
But we have some legacy applications that perform authentication with simple LDAP binds, so we have the compat tree enabled, and while trying to authenticate users in the AD.DOMAIN2.NET realm this way eventually succeeds, it takes an awfully long time (30 seconds or so, sometimes more), with a lot going on between the AD and FreeIPA. We've attached the log file of SSSD (version 1.12.4, we've upgraded based on advice from IRC #sssd, but the problem didn't go away) from the FreeIPA server while running "ldapwhoami -D uid=user@ad.domain2.net,cn=users,cn=compat,dc=ipa,dc=domain1,dc=com -W" from a client machine. The debug level was set to 0x07f0.
On (rare) occasions, authentication is very fast while running the exact same command on the client machine. We've also attached the SSSD log file when that happens, for comparison. The log files have been sanitized and the slow log output was bit simplified, we removed 25 repeated events where sssd was trying to resolve unknown SIDs, it would have taken too much time to sanitize so we left 5 caching events only (we made a remark on the log file where we removed those lines.)
Any advice is more than welcome.
Thanks for your help.
Cheers,
Romain Aviolat Senior System Administrator - R&D and ops Infrastructure Kudelski Security - Kudelski Group rte de Genève 22-24, 1033 Cheseaux, SWITZERLAND +41 21 732 03 79
----- Original Message -----
From: "Aviolat Romain" Romain.Aviolat@nagra.com To: sssd-users@lists.fedorahosted.org Sent: Thursday, February 26, 2015 5:51:36 PM Subject: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
Hi,
We have setup FreeIPA (VERSION: 4.1.2, API_VERSION: 2.109) in our realm (IPA.DOMAIN1.COM), with trust to an AD forest (DOMAIN2.NET, which itself has trust to AD.DOMAIN2.NET, where the corporate users are). Everything works fine when using Kerberos, we can obtain tickets from AD.DOMAIN2.NET and authenticate to services in IPA.DOMAIN1.COM. We can also do "getent passwd user@ad.domain2.net" on a host enrolled in FreeIPA and quickly get a result.
But we have some legacy applications that perform authentication with simple LDAP binds, so we have the compat tree enabled, and while trying to authenticate users in the AD.DOMAIN2.NET realm this way eventually succeeds, it takes an awfully long time (30 seconds or so, sometimes more), with a lot going on between the AD and FreeIPA. We've attached the log file of SSSD (version 1.12.4, we've upgraded based on advice from IRC #sssd, but the problem didn't go away) from the FreeIPA server while running "ldapwhoami -D uid=user@ad.domain2.net,cn=users,cn=compat,dc=ipa,dc=domain1,dc=com -W" from a client machine. The debug level was set to 0x07f0.
The slow execution and big traffic between FreeIPA and AD can be caused by downloading a huge count of groups.
Is the user user@ad.domain2.net member of many groups? How many?
I could also see in log file that AD infrastructure is quite big. Got 8 primary and 20 backup servers Could you confirm that sssd was connected to the nearest and the fastest AD server?
You can use netstat for detection of opened connections from SSSD netstat -tpn | grep sssd_be
On (rare) occasions, authentication is very fast while running the exact same command on the client machine. We've also attached the SSSD log file when that happens, for comparison. The log files have been sanitized and the slow log output was bit simplified, we removed 25 repeated events where sssd was trying to resolve unknown SIDs, it would have taken too much time to sanitize so we left 5 caching events only (we made a remark on the log file where we removed those lines.)
I can see in sssd_fast_query.log that request to AD was performed in offline mode
[be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)] [be_pam_handler_callback] (0x0100): Sending result [9][ad.domain2.net] [be_pam_handler_callback] (0x0100): Sent result [9][ad.domain2.net] [child_sig_handler] (0x0100): child [10313] finished successfully.
The data has already been cached and therefore authentication did not fail and was very fast. I could not see a reason in sssd log file why ad.domain2.net was offline.
LS
From: "Aviolat Romain" Romain.Aviolat@nagra.com To: sssd-users@lists.fedorahosted.org Sent: Thursday, February 26, 2015 5:51:36 PM Subject: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
Hi,
We have setup FreeIPA (VERSION: 4.1.2, API_VERSION: 2.109) in our realm (IPA.DOMAIN1.COM), with trust to an AD forest (DOMAIN2.NET, which itself has trust to AD.DOMAIN2.NET, where the corporate users are). Everything works fine when using Kerberos, we can obtain tickets from AD.DOMAIN2.NET and authenticate to services in IPA.DOMAIN1.COM. We can also do "getent passwd user@ad.domain2.net" on a host enrolled in FreeIPA and quickly get a result.
But we have some legacy applications that perform authentication with simple LDAP binds, so we have the compat tree enabled, and while trying to authenticate users in the AD.DOMAIN2.NET realm this way eventually succeeds, it takes an awfully long time (30 seconds or so, sometimes more), with a lot going on between the AD and FreeIPA. We've attached the log file of SSSD (version 1.12.4, we've upgraded based on advice from IRC #sssd, but the problem didn't go away) from the FreeIPA server while running "ldapwhoami -D uid=user@ad.domain2.net,cn=users,cn=compat,dc=ipa,dc=domain1,dc=com -W" from a client machine. The debug level was set to 0x07f0.
The slow execution and big traffic between FreeIPA and AD can be caused by downloading a huge count of groups.
Is the user user@ad.domain2.net member of many groups? How many?
The user is a direct member of 26 groups and an indirect member of 110 groups.
I could also see in log file that AD infrastructure is quite big. Got 8 primary and 20 backup servers Could you confirm that sssd was connected to the nearest and the fastest AD server?
Yes the infrastructure is quite big, and yes we're connected to the nearest and the fastest AD servers.
You can use netstat for detection of opened connections from SSSD netstat -tpn | grep sssd_be
Of course, here's the output asked during a "slow" query:
# netstat -tpn | grep sssd_be tcp 0 0 10.XXX.XXX.XXX:33364 10.XXX.XXX.10:389 ESTABLISHED 10259/sssd_be tcp 0 0 10.XXX.XXX.XXX:32883 10.XXX.XXX.11:389 ESTABLISHED 10259/sssd_be tcp 0 0 10.XXX.XXX.XXX:56351 10.XXX.XXX.12:3268 ESTABLISHED 10259/sssd_be
On (rare) occasions, authentication is very fast while running the exact same command on the client machine. We've also attached the SSSD log file when that happens, for comparison. The log files have been sanitized and the slow log output was bit simplified, we removed 25 repeated events where sssd was trying to resolve unknown SIDs, it would have taken too much time to sanitize so we left 5 caching events only (we made a remark on the log file where we removed those lines.)
I can see in sssd_fast_query.log that request to AD was performed in offline mode
[be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)] [be_pam_handler_callback] (0x0100): Sending result [9][ad.domain2.net] [be_pam_handler_callback] (0x0100): Sent result >[9][ad.domain2.net] [child_sig_handler] (0x0100): child [10313] finished successfully.
The data has already been cached and therefore authentication did not fail and was very fast. I could not see a reason in sssd log file why ad.domain2.net was offline.
I couldn't see a reason too... I'm 100% sure that the infra (AD servers and network) is always UP. Tell me if I can dig a bit further into some log files.
Thanks again for your help.
Romain
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Mon, Mar 02, 2015 at 12:45:19PM +0000, Aviolat Romain wrote:
I couldn't see a reason too... I'm 100% sure that the infra (AD servers and network) is always UP. Tell me if I can dig a bit further into some log files.
Thanks again for your help.
Romain
Can you search the logs for a message saying "Going offline" ? IIRC that would show the spot where SSSD switched from online to offline mode, the logs messages above that would (hopefully) show the reason.
Unfortunately the logs aren't helpful, It seems that sssd one time went offline but it's not at all in the same time-frame as when I ran my tests. I also tried to put the full debug log (0xFFF0).
The thing is that I don't need to enable all those mapping mechanisms because I don't rely on the AD groups I use FreeIPA to set group membership. So I tried to deactivate this using the following options, as suggested by lslebodn:
ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
But it the mapping still occurs, as the timeout. It seems that those options are not working.
Here's my sssd config file.
[domain/mydomain1.com] debug_level = 0x07f0 #debug_level = 0xFFF0 ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False #ldap_initgroups_use_matching_rule_in_chain = True ldap_id_mapping = False
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain1.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kdc.mydomain1.com chpass_provider = ipa ipa_server = kdc.mydomain1.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2
domains = mydomain1.com [nss] homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
Thanks for your help !
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: lundi 2 mars 2015 13:50 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On Mon, Mar 02, 2015 at 12:45:19PM +0000, Aviolat Romain wrote:
I couldn't see a reason too... I'm 100% sure that the infra (AD servers and network) is always UP. Tell me if I can dig a bit further into some log files.
Thanks again for your help.
Romain
Can you search the logs for a message saying "Going offline" ? IIRC that would show the spot where SSSD switched from online to offline mode, the logs messages above that would (hopefully) show the reason. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Aviolat Romain Sent: lundi 2 mars 2015 17:19 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
Unfortunately the logs aren't helpful, It seems that sssd one time went offline but it's not at all in the same time-frame as when I ran my tests. I also tried to put the full debug log (0xFFF0).
The thing is that I don't need to enable all those mapping mechanisms because I don't rely on the AD groups I use FreeIPA to set group membership. So I tried to deactivate this using the following options, as suggested by lslebodn:
ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
But it the mapping still occurs, as the timeout. It seems that those options are not working.
Here's my sssd config file.
[domain/mydomain1.com] debug_level = 0x07f0 #debug_level = 0xFFF0 ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False #ldap_initgroups_use_matching_rule_in_chain = True ldap_id_mapping = False
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain1.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kdc.mydomain1.com chpass_provider = ipa ipa_server = kdc.mydomain1.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2
domains = mydomain1.com [nss] homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
Thanks for your help !
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: lundi 2 mars 2015 13:50 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On Mon, Mar 02, 2015 at 12:45:19PM +0000, Aviolat Romain wrote:
I couldn't see a reason too... I'm 100% sure that the infra (AD servers and network) is always UP. Tell me if I can dig a bit further into some log files.
Thanks again for your help.
Romain
Can you search the logs for a message saying "Going offline" ? IIRC that would show the spot where SSSD switched from online to offline mode, the logs messages above that would (hopefully) show the reason. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just join client to IdM using realmd or ipa-client-install. In this case SSSD via configuration should know only about the domain it is joined to - the IPA one. The AD domains and forests are discovered dynamically and internally and do not require any configuration in the SSSD.conf
I suggest you start over with 1. Install IPA. 2. Join a client to IPA using ipa-client or realmd 3. Test that authentication and identity lookups work 4. Establish trust between IPA and AD 5. Try to log with an AD user on the client
In any case you do not need to configure anything manually unless you have some really corner case in your environment.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Aviolat Romain Sent: lundi 2 mars 2015 17:19 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
Unfortunately the logs aren't helpful, It seems that sssd one time went offline but it's not at all in the same time-frame as when I ran my tests. I also tried to put the full debug log (0xFFF0).
The thing is that I don't need to enable all those mapping mechanisms because I don't rely on the AD groups I use FreeIPA to set group membership. So I tried to deactivate this using the following options, as suggested by lslebodn:
ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
But it the mapping still occurs, as the timeout. It seems that those options are not working.
Here's my sssd config file.
[domain/mydomain1.com] debug_level = 0x07f0 #debug_level = 0xFFF0 ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False #ldap_initgroups_use_matching_rule_in_chain = True ldap_id_mapping = False
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain1.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kdc.mydomain1.com chpass_provider = ipa ipa_server = kdc.mydomain1.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2
domains = mydomain1.com [nss] homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
Thanks for your help !
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: lundi 2 mars 2015 13:50 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On Mon, Mar 02, 2015 at 12:45:19PM +0000, Aviolat Romain wrote:
I couldn't see a reason too... I'm 100% sure that the infra (AD servers and network) is always UP. Tell me if I can dig a bit further into some log files.
Thanks again for your help.
Romain
Can you search the logs for a message saying "Going offline" ? IIRC that would show the spot where SSSD switched from online to offline mode, the logs messages above that would (hopefully) show the reason. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (04/03/15 14:29), Dmitri Pal wrote:
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just join client to IdM using realmd or ipa-client-install. In this case SSSD via configuration should know only about the domain it is joined to - the IPA one. The AD domains and forests are discovered dynamically and internally and do not require any configuration in the SSSD.conf
Romain already uses IPA with AD trust.
The main problem is that user in his AD are members of many groups which causes big delays when users try to authenticate.
If I understant it correctly he is mainly interested in authentication against AD and do not need all group membership.
It would be possible to change it with options ldap_group_nesting_level, ignore_group_members or ldap_use_tokengroups. But I don't know how to change configuration in AD subdomain on sssd in ipa server mode
LS
Thanks Lukas for the clarifications.
You're right, I'm interested in authenticating against AD, I don't need the group membership attributes. It seems to be the right solution to avoid the caching of lots of groups on the FreeIPA side.
If you have any idea how to solve this, don't hesitate.
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: mercredi 4 mars 2015 20:58 To: dpal@redhat.com; End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On (04/03/15 14:29), Dmitri Pal wrote:
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just join client to IdM using realmd or ipa-client-install. In this case SSSD via configuration should know only about the domain it is joined to - the IPA one. The AD domains and forests are discovered dynamically and internally and do not require any configuration in the SSSD.conf
Romain already uses IPA with AD trust.
The main problem is that user in his AD are members of many groups which causes big delays when users try to authenticate.
If I understant it correctly he is mainly interested in authentication against AD and do not need all group membership.
It would be possible to change it with options ldap_group_nesting_level, ignore_group_members or ldap_use_tokengroups. But I don't know how to change configuration in AD subdomain on sssd in ipa server mode
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Mar 05, 2015 at 05:58:11AM +0000, Aviolat Romain wrote:
Thanks Lukas for the clarifications.
You're right, I'm interested in authenticating against AD, I don't need the group membership attributes. It seems to be the right solution to avoid the caching of lots of groups on the FreeIPA side.
If you have any idea how to solve this, don't hesitate.
I got a similar report and I'm working on a patch which should reduce the time needed for authentication even with many group-memberships. I will prepare a test package when I'm done.
Currently I'm not aware of a good option to tune this. Switching on enumeration on the IPA servers might help a bit with the usual drawbacks of enumeration.
bye, Sumit
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: mercredi 4 mars 2015 20:58 To: dpal@redhat.com; End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On (04/03/15 14:29), Dmitri Pal wrote:
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just join client to IdM using realmd or ipa-client-install. In this case SSSD via configuration should know only about the domain it is joined to - the IPA one. The AD domains and forests are discovered dynamically and internally and do not require any configuration in the SSSD.conf
Romain already uses IPA with AD trust.
The main problem is that user in his AD are members of many groups which causes big delays when users try to authenticate.
If I understant it correctly he is mainly interested in authentication against AD and do not need all group membership.
It would be possible to change it with options ldap_group_nesting_level, ignore_group_members or ldap_use_tokengroups. But I don't know how to change configuration in AD subdomain on sssd in ipa server mode
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Mar 05, 2015 at 09:42:08AM +0100, Sumit Bose wrote:
On Thu, Mar 05, 2015 at 05:58:11AM +0000, Aviolat Romain wrote:
Thanks Lukas for the clarifications.
You're right, I'm interested in authenticating against AD, I don't need the group membership attributes. It seems to be the right solution to avoid the caching of lots of groups on the FreeIPA side.
If you have any idea how to solve this, don't hesitate.
I got a similar report and I'm working on a patch which should reduce the time needed for authentication even with many group-memberships. I will prepare a test package when I'm done.
I made a package (http://koji.fedoraproject.org/koji/taskinfo?taskID=9143634) with a first small patch which should reduce the number of initgroups requests. Feel free to test it. I would recommend to set 'pam_id_timeout = 60' in the [pam] section of sssd.conf to make full use of the patch.
bye, Sumit
Currently I'm not aware of a good option to tune this. Switching on enumeration on the IPA servers might help a bit with the usual drawbacks of enumeration.
bye, Sumit
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: mercredi 4 mars 2015 20:58 To: dpal@redhat.com; End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On (04/03/15 14:29), Dmitri Pal wrote:
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just join client to IdM using realmd or ipa-client-install. In this case SSSD via configuration should know only about the domain it is joined to - the IPA one. The AD domains and forests are discovered dynamically and internally and do not require any configuration in the SSSD.conf
Romain already uses IPA with AD trust.
The main problem is that user in his AD are members of many groups which causes big delays when users try to authenticate.
If I understant it correctly he is mainly interested in authentication against AD and do not need all group membership.
It would be possible to change it with options ldap_group_nesting_level, ignore_group_members or ldap_use_tokengroups. But I don't know how to change configuration in AD subdomain on sssd in ipa server mode
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Mar 05, 2015 at 07:58:01PM +0100, Sumit Bose wrote:
On Thu, Mar 05, 2015 at 09:42:08AM +0100, Sumit Bose wrote:
On Thu, Mar 05, 2015 at 05:58:11AM +0000, Aviolat Romain wrote:
Thanks Lukas for the clarifications.
You're right, I'm interested in authenticating against AD, I don't need the group membership attributes. It seems to be the right solution to avoid the caching of lots of groups on the FreeIPA side.
If you have any idea how to solve this, don't hesitate.
I got a similar report and I'm working on a patch which should reduce the time needed for authentication even with many group-memberships. I will prepare a test package when I'm done.
I made a package (http://koji.fedoraproject.org/koji/taskinfo?taskID=9143634) with a first small patch which should reduce the number of initgroups requests. Feel free to test it. I would recommend to set 'pam_id_timeout = 60' in the [pam] section of sssd.conf to make full use of the patch.
There is a new package at http://koji.fedoraproject.org/koji/taskinfo?taskID=9155406
This adds a fix for an issue I found in my testing which prevented some groups to be saved into the cache and hence must be downloaded all the time. Additionally it adds some debug code to see what causes the sysdb_set_entry_attr() errors. Groups with those errors are not save to the cache as well and must be downloaded again as well. Feel free to forward logs with the results to me directly.
Additionally I found the following log/journal message while testing:
sshd[22668]: pam_systemd(sshd:session): Failed to create session: Connection timed out
which caused a 20s delay for the login. After I commented out pam_systemd in the PAM configuration I got login time down to about 5s for a user which is a member of 500 groups. Can you check if you see similar log messages?
bye, Sumit
bye, Sumit
Currently I'm not aware of a good option to tune this. Switching on enumeration on the IPA servers might help a bit with the usual drawbacks of enumeration.
bye, Sumit
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: mercredi 4 mars 2015 20:58 To: dpal@redhat.com; End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On (04/03/15 14:29), Dmitri Pal wrote:
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just join client to IdM using realmd or ipa-client-install. In this case SSSD via configuration should know only about the domain it is joined to - the IPA one. The AD domains and forests are discovered dynamically and internally and do not require any configuration in the SSSD.conf
Romain already uses IPA with AD trust.
The main problem is that user in his AD are members of many groups which causes big delays when users try to authenticate.
If I understant it correctly he is mainly interested in authentication against AD and do not need all group membership.
It would be possible to change it with options ldap_group_nesting_level, ignore_group_members or ldap_use_tokengroups. But I don't know how to change configuration in AD subdomain on sssd in ipa server mode
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Sumit,
I tried your patch, it seems that it still fails to download always the same groups as before.
Here's the part where sysdb_set_entry_attr fails:
(Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Processing group my group1@ad.domain2.net (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Filtering AD group [my group1@ad.domain2.net]. (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Storing info for group my group1@ad.domain2.net (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_store_group_with_gid] (0x0040): Could not store group my group1@ad.domain2.net (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0080): Failed to save group [my group1@ad.domain2.net]: [File exists] (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_groups] (0x0040): Failed to store group 14. Ignoring.
Every time it still tries to download the same groups.
About the pam systemd thing, I don't have such option set in my sssd conf file.
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose Sent: vendredi 6 mars 2015 15:36 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On Thu, Mar 05, 2015 at 07:58:01PM +0100, Sumit Bose wrote:
On Thu, Mar 05, 2015 at 09:42:08AM +0100, Sumit Bose wrote:
On Thu, Mar 05, 2015 at 05:58:11AM +0000, Aviolat Romain wrote:
Thanks Lukas for the clarifications.
You're right, I'm interested in authenticating against AD, I don't need the group membership attributes. It seems to be the right solution to avoid the caching of lots of groups on the FreeIPA side.
If you have any idea how to solve this, don't hesitate.
I got a similar report and I'm working on a patch which should reduce the time needed for authentication even with many group-memberships. I will prepare a test package when I'm done.
I made a package (http://koji.fedoraproject.org/koji/taskinfo?taskID=9143634) with a first small patch which should reduce the number of initgroups requests. Feel free to test it. I would recommend to set 'pam_id_timeout = 60' in the [pam] section of sssd.conf to make full use of the patch.
There is a new package at http://koji.fedoraproject.org/koji/taskinfo?taskID=9155406
This adds a fix for an issue I found in my testing which prevented some groups to be saved into the cache and hence must be downloaded all the time. Additionally it adds some debug code to see what causes the sysdb_set_entry_attr() errors. Groups with those errors are not save to the cache as well and must be downloaded again as well. Feel free to forward logs with the results to me directly.
Additionally I found the following log/journal message while testing:
sshd[22668]: pam_systemd(sshd:session): Failed to create session: Connection timed out
which caused a 20s delay for the login. After I commented out pam_systemd in the PAM configuration I got login time down to about 5s for a user which is a member of 500 groups. Can you check if you see similar log messages?
bye, Sumit
bye, Sumit
Currently I'm not aware of a good option to tune this. Switching on enumeration on the IPA servers might help a bit with the usual drawbacks of enumeration.
bye, Sumit
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: mercredi 4 mars 2015 20:58 To: dpal@redhat.com; End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On (04/03/15 14:29), Dmitri Pal wrote:
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just join client to IdM using realmd or ipa-client-install. In this case SSSD via configuration should know only about the domain it is joined to - the IPA one. The AD domains and forests are discovered dynamically and internally and do not require any configuration in the SSSD.conf
Romain already uses IPA with AD trust.
The main problem is that user in his AD are members of many groups which causes big delays when users try to authenticate.
If I understant it correctly he is mainly interested in authentication against AD and do not need all group membership.
It would be possible to change it with options ldap_group_nesting_level, ignore_group_members or ldap_use_tokengroups. But I don't know how to change configuration in AD subdomain on sssd in ipa server mode
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, Mar 06, 2015 at 03:16:52PM +0000, Aviolat Romain wrote:
Hi Sumit,
I tried your patch, it seems that it still fails to download always the same groups as before.
Here's the part where sysdb_set_entry_attr fails:
(Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Processing group my group1@ad.domain2.net (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Filtering AD group [my group1@ad.domain2.net]. (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Storing info for group my group1@ad.domain2.net (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
Can you set debug_level to 9? Then there should be a dump of the attributes in the logs.
(Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_store_group_with_gid] (0x0040): Could not store group my group1@ad.domain2.net (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0080): Failed to save group [my group1@ad.domain2.net]: [File exists] (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_groups] (0x0040): Failed to store group 14. Ignoring.
Every time it still tries to download the same groups.
About the pam systemd thing, I don't have such option set in my sssd conf file.
This is not configured in sssd.conf. In a default Fedora installation you can find it in /etc/pam.d/password-auth. But if you do not see any pam_systemd(sshd:session) timeout messages in the journal or /var/log/secure you do not need to change anything here.
bye, Sumit
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose Sent: vendredi 6 mars 2015 15:36 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On Thu, Mar 05, 2015 at 07:58:01PM +0100, Sumit Bose wrote:
On Thu, Mar 05, 2015 at 09:42:08AM +0100, Sumit Bose wrote:
On Thu, Mar 05, 2015 at 05:58:11AM +0000, Aviolat Romain wrote:
Thanks Lukas for the clarifications.
You're right, I'm interested in authenticating against AD, I don't need the group membership attributes. It seems to be the right solution to avoid the caching of lots of groups on the FreeIPA side.
If you have any idea how to solve this, don't hesitate.
I got a similar report and I'm working on a patch which should reduce the time needed for authentication even with many group-memberships. I will prepare a test package when I'm done.
I made a package (http://koji.fedoraproject.org/koji/taskinfo?taskID=9143634) with a first small patch which should reduce the number of initgroups requests. Feel free to test it. I would recommend to set 'pam_id_timeout = 60' in the [pam] section of sssd.conf to make full use of the patch.
There is a new package at http://koji.fedoraproject.org/koji/taskinfo?taskID=9155406
This adds a fix for an issue I found in my testing which prevented some groups to be saved into the cache and hence must be downloaded all the time. Additionally it adds some debug code to see what causes the sysdb_set_entry_attr() errors. Groups with those errors are not save to the cache as well and must be downloaded again as well. Feel free to forward logs with the results to me directly.
Additionally I found the following log/journal message while testing:
sshd[22668]: pam_systemd(sshd:session): Failed to create session: Connection timed out
which caused a 20s delay for the login. After I commented out pam_systemd in the PAM configuration I got login time down to about 5s for a user which is a member of 500 groups. Can you check if you see similar log messages?
bye, Sumit
bye, Sumit
Currently I'm not aware of a good option to tune this. Switching on enumeration on the IPA servers might help a bit with the usual drawbacks of enumeration.
bye, Sumit
Romain
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: mercredi 4 mars 2015 20:58 To: dpal@redhat.com; End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On (04/03/15 14:29), Dmitri Pal wrote:
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
Hi there,
I played again with the sssd.conf config file and I'm not 100% sure that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
I'm not sure if I should create multiple domains, one for the freeIPA domain and one for the ad domain and put specific options into them. Like
[domain/ad.mydomain2.net ldap_group_nesting_level = 0 ignore_group_members = True ldap_use_tokengroups = False
[domain/domain1.com] Options specific to the FreeIPA domain.
I have also read that all the domains should be listed into the [sssd] section.
I can't find info about how to configure this file for multiple domains, can someone point me to the right direction ?
Thanks for your help
Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just join client to IdM using realmd or ipa-client-install. In this case SSSD via configuration should know only about the domain it is joined to - the IPA one. The AD domains and forests are discovered dynamically and internally and do not require any configuration in the SSSD.conf
Romain already uses IPA with AD trust.
The main problem is that user in his AD are members of many groups which causes big delays when users try to authenticate.
If I understant it correctly he is mainly interested in authentication against AD and do not need all group membership.
It would be possible to change it with options ldap_group_nesting_level, ignore_group_members or ldap_use_tokengroups. But I don't know how to change configuration in AD subdomain on sssd in ipa server mode
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org