Hi all....
Just wanted to follow up on this as I created a case with RedHat, and here is
their findings, for all of you to share:
>From RedHat support:
----------------------
As per the current discussion with our engineering team.
---
The client requests info about a user. This goes to the IPA DS which calls into
SSSD on the client which does a sequence of:
1) getgrouplist -> returns a list of GIDs the user is a member of
2) for gid in list_of_gids:
getgrgid(gid)
now, the problem is that the getgrgid on the server doesn't go directly to the
domain the GID comes from -- in the general case this is not possible, because
at least in the case of POSIX GIDs set by the admin we don't know which domain
the GID is from. So what happens instead is that we search all the subdomains
in the order they are discovered. Observe here:
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [lx.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
-- this is the NSS responder searching the IPA domain. This is very fast since
the SSSD and the IPA server are on the same machine
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [place.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
-- but here we are searching the place.dr.dk domain
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [net.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
-- then the net.dr.dk domain
I'm not sure we can do much in 7.3, unfortunately. But 7.4 will help in the
sense that when the NSS responder is checking the caches and considering which
back end server to contact, it would first loop over all the caches and try to
first see if this ID already belongs to some domain as kind of a hint and first
try to check this domain. In other words, instead of checking cache-server,
cache-server it would check cache, cache, then server, server.
The other thing is, the back end could also, if the domain uses algorithmic ID
mapping, decide sooner if the ID comes from its domain (as I said earlier, it's
not possible in the general case if the admin assigns the POSIX IDs). There, we
could reconstruct the SID from the GID and if the SID comes from a different
domain, just abort the request.
---
We will be opening bug based on our observation and update you further.
------------
So, this is an actual bug or maybe just not optimal design, but being made into
an actual bug at RedHat.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
