Hi there I'm trying to debug on a strange IPA timeout issue.
Its SSSD 1.14, IPA 4.4, RHEL 7.3. 2 IPA servers in AD trust. Besides being a bit slow on groups membership lookups on users with a moderate number of Groups, there are some users with a HUGE amount of nested groups. A server just installed, thereby having clean cache: # time id shja id: shja: no such user real 0m12.107s user 0m0.000s sys 0m0.007s Hmm, lets try again: # sss_cache -E && systemctl restart sssd # time id shja id: shja: no such user real 0m58.016s user 0m0.001s sys 0m0.005s Hmm.. # sss_cache -E && systemctl restart sssd # time id shja ...about 30% of the users Groups are returned.... real 5m16.840s user 0m0.010s sys 0m0.019s Next lookup is pretty fast and returns all Groups (about 730). # time id shja real 0m7.670s user 0m0.028s sys 0m0.066s A few questions. The first times id seems to bail out and report no such user after whet seems to be a random amount of time. Then is actually starts fetching groups it fetches a portion of the Groups, and the last try it fetches all groups. It looks like IPA is starting a thread running in backgroups, filling the cache and this continues after the failed lookup? Shouldn't SSSD be able to use the cache from the the SSSD on the IPA server? In this example the IPA server had full cache of the user and groups but the time it took to do the lookup indicates its still traversing the AD? sssd.conf is pretty default: full_name_format = %1$s set on SSSD client. On IPA server this is added (no full_name_format): ignore_group_members = True ldap_purge_cache_timeout = 0 ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal, ignore_group_members, ldap_purge_cache_timeout
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project