Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
I’ve been continuing to troubleshoot this slowness in freeipa,
specifically ipa-finduser which I’m told should take at most 2-3 seconds
is taking 20+. People suspected “a dns issue”. I don’t really use DNS,
particularly in my test environment. However, to check this issue, I
relented and added my server to dns. The situation has not changed. An
strace of ipa-finduser admin shows the following:

open("/usr/lib64/python2.7/site-packages/ldap/filter.py", O_RDONLY) = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=1441, ...}) = 0
open("/usr/lib64/python2.7/site-packages/ldap/filter.pyc", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f115dba3000
read(6,
"\3\363\r\n/\350\352Jc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s/\0\0\0d\0"...,
4096) = 1863
fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0
read(6, "", 4096) = 0
close(6) = 0
munmap(0x7f115dba3000, 4096) = 0
close(5) = 0
close(4) = 0
close(3) = 0
stat("/usr/share/locale/en_US.UTF8/LC_MESSAGES/messages.mo",
0x7fff13cb0b10) = -1 ENOENT (No such file or directory)
stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff13cb0b10)
= -1 ENOENT (No such file or directory)
stat("/usr/share/locale/en.UTF8/LC_MESSAGES/messages.mo",
0x7fff13cb0b10) = -1 ENOENT (No such file or directory)
stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) =
-1 ENOENT (No such file or directory)
brk(0) = 0x2755000
brk(0x2776000) = 0x2776000
open("/etc/ipa/ipa.conf", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f115dba3000
read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f115dba3000, 4096) = 0
open("/etc/resolv.conf", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f115dba3000
read(3, "domain arc.nasa.gov\nnameserver 1"..., 4096) = 71
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f115dba3000, 4096) = 0

<This is the delay>

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("143.232.252.34")}, 16) = 0
poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41,
MSG_NOSIGNAL, NULL, 0) = 41
poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41,
MSG_NOSIGNAL, NULL, 0) = 41
poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41,
MSG_NOSIGNAL, NULL, 0) = 41
poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout)
poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41,
MSG_NOSIGNAL, NULL, 0) = 41
poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout)
close(3) = 0
open("/etc/ipa/ipa.conf", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f115dba3000
read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78
read(3, "", 4096) = 0
close(3) = 0

Doing a tcpdump of the DNS server shows the following:

11:01:18.217811 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain:
0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
11:01:18.235829 IP freeipa.arc.nasa.gov.35688 > ns1.arc.nasa.gov.domain:
981+ PTR? 34.252.232.143.in-addr.arpa. (45)
11:01:18.236535 IP ns1.arc.nasa.gov.domain > freeipa.arc.nasa.gov.35688:
981* 1/3/3 PTR ns1.arc.nasa.gov. (173)
11:01:28.228160 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain:
0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
11:01:38.237880 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain:
0+ SRV? _ldap._tcp.arc.nasa.gov. (41)
11:01:48.248343 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain:
0+ SRV? _ldap._tcp.arc.nasa.gov. (41)

This is a pretty serious problem. I don’t own the name servers for this
domain. I don’t manage the entirety of the namespace. I don’t want SRV
entries for my host. Is there a way to disable the _srv lookup? I found
the following thread:

http://osdir.com/ml/freeipa-users/2011-04/msg00020.html

Which discusses it a little bit. Specifying a static list of IPA servers
is exactly what I want to do. I’m using 1.2, so I’m not using sssd.

-Brian

I believe you need to specify --server on the command-line to avoid the SRV lookup:

$ ipa-finduser --server=ipa.arc.nasa.gov admin

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to