Hi,

A follow up from previous email regarding my patch for ipa-sam to fix "valid 
users = " group references in the samba server that comes with 
ipa-server-trust-ad.
(Found here: 
https://www.redhat.com/archives/freeipa-users/2014-March/msg00045.html )

I noticed that ns-slapd CPU was excessive during multi-file copies (like a git 
repository with thousands of files.)
Debug level 10 logs showed ipa-sam was performing multiple LDAP queries per 
file. One for the user and others for the groups. Specifically in order to 
perform gid/uid<->sid lookups.

I've pre-empted and raised as a bug with a proposed patch:
https://bugzilla.redhat.com/show_bug.cgi?id=1074314

It does a few things:
1. idmap caching so the ldap calls are significantly reduced
2. when gid lookup received for the primary user group (so where gid==uid), 
properly reflect behaviour of the initial lookup that happens during init by 
returning the Default SMB Group fallback group
3. don't bother ldap call for uidNumber=0 (root) - since it never will exist in 
FreeIPA according to my research
My CPU for ns-slapd is now 0. And file copies are much better and more like 
normal.

This seems to fix all issues for me at the moment - and I guess all what 
remains to do is extra features to make it more like the ldapsam.
It also looks like all that is needed to get the ipa-sam.so to work without 
FreeIPA master local - is to allow the service principal access to the 
ipaNTHash attribute. However, I can't see any current aci referring to 
principals at the moment or even grouping of them into types - probably because 
I'm taking the wrong though-path - but if anyone would like to discuss this 
that would be great.

Hope the patch helps!

Thanks,

Jason

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to