Yep, that initgroups change had the same effect as shutting down sssd, but without inconveniencing all the IPA-only users.

The problem in this particular case was made worse by a lot of network latency, but even on network segments local to the ipa masters, it's taking seconds to authenticate. This will help out the local accounts, at least. Now to keep working on those that aren't local.


Thanks for that tip, Simo!

On 05/22/2014 01:15 PM, Simo Sorce wrote:
On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote:
Ahhhh. Then it's probably not the source of my performance problem. I
know when I shut down SSSD, that user's ssh times speed up incredibly.
This makes me think it *is* initgroups, as it normally will hit sssd
even for non-sssd owned users.

But the issue here clearly is that sssd is slow for you, bad network ?

Simo.

Bret

On 05/22/2014 01:06 PM, Simo Sorce wrote:
On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:
If this line is in /etc/nsswitch.conf:

passwd: files sss

Why would the user account from IPA get used when an identical one
exists in /etc/passwd? We can tell because of some additional groups
granted when authentication comes from IPA.

If I shut down sssd, then login proceeds through /etc/passwd as
expected, but as soon as I restart sssd, this behavior starts again.
It's almost as if nsswitch.conf is being ignored or read
right-to-left.

Just another oddity I uncovered on one system as I was troubleshooting
a
particularly long "ssh localhost" and trying to rule things out.

The initgroups call (done at authentication to find what groups a user
is member of) by default traverses all databases, so if the same
username is found in multiple databases the groups are added as well.

There is actually a way to change this behavior, although it usually
causes more issue than it resolves.

You could try with: initgroups: files sss

Simo.





Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to