Hi all....

Just wanted to follow up on this as I created a case with RedHat, and here is 
their findings, for all of you to share:

>From RedHat support:


As per the current discussion with our engineering team.

The client requests info about a user. This goes to the IPA DS which calls into 
SSSD on the client which does a sequence of:
1) getgrouplist -> returns a list of GIDs the user is a member of
2) for gid in list_of_gids:

now, the problem is that the getgrgid on the server doesn't go directly to the 
domain the GID comes from -- in the general case this is not possible, because 
at least in the case of POSIX GIDs set by the admin we don't know which domain 
the GID is from. So what happens instead is that we search all the subdomains 
in the order they are discovered. Observe here:
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): 
Creating request for [lx.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
 -- this is the NSS responder searching the IPA domain. This is very fast since 
the SSSD and the IPA server are on the same machine
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): 
Creating request for [place.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
 -- but here we are searching the place.dr.dk domain
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): 
Creating request for [net.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
 -- then the net.dr.dk domain

I'm not sure we can do much in 7.3, unfortunately. But 7.4 will help in the 
sense that when the NSS responder is checking the caches and considering which 
back end server to contact, it would first loop over all the caches  and try to 
first see if this ID already belongs to some domain as kind of a hint and first 
try to check this domain. In other words, instead of checking cache-server, 
cache-server it would check cache, cache, then server, server.

The other thing is, the back end could also, if the domain uses algorithmic ID 
mapping, decide sooner if the ID comes from its domain (as I said earlier, it's 
not possible in the general case if the admin assigns the POSIX IDs). There, we 
could reconstruct the SID from the GID and if the SID comes from a different 
domain, just abort the request.

We will be opening bug based on our observation and update you further.


So, this is an actual bug or maybe just not optimal design, but being made into 
an actual bug at RedHat.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to