Greetings,

My first post to the forum.

We are running centos7 with freeipa. Syncing from AD, with one linux replica.
The ipa clients are getting installed by puppet. All the clients are performing 
fine, except one. I am getting slow ssh logins to one host, as well as slow 
'id' and 'who', etc.

I turned up the sss-debuglevel to 6, and compared the slow client to another, 
and I am seeing a section in the logs that is unique to the slow system, 
basically its doing a SSS_PAM_ACCT_MGMT, and I don't have any clue why. Same 
user logging in to both clients, one client does the SSS_PAM_ACCT_MGMT, 
followed by the SSS_PAM_OPEN_SESSION. While the other client only does 
SSS_PAM_OPEN_SESSION, and is much faster. (1 second vs 2-8 seconds)
It seems the SSS_PAM_ACCT_MGMT is the slow culprit, and I don't know why its 
running.

Any idea what would cause this or where I should look?

Below are the log for a good fast client, followed by the log from the slow 
client.

Thanks!!

Good Client
[dp_get_account_info_handler] (0x0200): Got request for 
[0x3][BE_REQ_INITGROUPS][1][name=nob...@ipa.mydomain.org]
[sysdb_get_real_name] (0x0040): Cannot find user [nob...@ipa.mydomain.org] in 
cache
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
[dp_get_account_info_handler] (0x0200): Got request for 
[0x1][BE_REQ_USER][1][name=myusern...@ipa.mydomain.org]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[dp_get_account_info_handler] (0x0200): Got request for 
[0x1][BE_REQ_USER][1][name=myusern...@ipa.mydomain.org]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[dp_get_account_info_handler] (0x0200): Got request for 
[0x3][BE_REQ_INITGROUPS][1][name=myusern...@ipa.mydomain.org]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[dp_pam_handler] (0x0100): Got request with the following data
[pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION
[pam_print_data] (0x0100): domain: ipa.mydomain.org
[pam_print_data] (0x0100): user: myusern...@ipa.mydomain.org
[pam_print_data] (0x0100): service: sshd
[pam_print_data] (0x0100): tty: ssh
[pam_print_data] (0x0100): ruser:
[pam_print_data] (0x0100): rhost: myhost.mydomain.org
[pam_print_data] (0x0100): authtok type: 0
[pam_print_data] (0x0100): newauthtok type: 0
[pam_print_data] (0x0100): priv: 1
[pam_print_data] (0x0100): cli_pid: 26697
[pam_print_data] (0x0100): logon name: not set


Bad Client
[dp_get_account_info_handler] (0x0200): Got request for 
[0x3][BE_REQ_INITGROUPS][1][name=nob...@ipa.mydomain.org]
[sysdb_get_real_name] (0x0040): Cannot find user [nob...@ipa.mydomain.org] in 
cache
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
[dp_get_account_info_handler] (0x0200): Got request for 
[0x1][BE_REQ_USER][1][name=myusern...@ipa.mydomain.org]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[dp_get_account_info_handler] (0x0200): Got request for 
[0x1][BE_REQ_USER][1][name=myusern...@ipa.mydomain.org]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[dp_get_account_info_handler] (0x0200): Got request for 
[0x3][BE_REQ_INITGROUPS][1][name=myusern...@ipa.mydomain.org]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[dp_pam_handler] (0x0100): Got request with the following data
[pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
[pam_print_data] (0x0100): domain: ipa.mydomain.org
[pam_print_data] (0x0100): user: myusern...@ipa.mydomain.org
[pam_print_data] (0x0100): service: sshd
[pam_print_data] (0x0100): tty: ssh
[pam_print_data] (0x0100): ruser:
[pam_print_data] (0x0100): rhost: myh...@mydomain.org
[pam_print_data] (0x0100): authtok type: 0
[pam_print_data] (0x0100): newauthtok type: 0
[pam_print_data] (0x0100): priv: 1
[pam_print_data] (0x0100): cli_pid: 183633
[pam_print_data] (0x0100): logon name: not set
[ipa_hostgroup_info_done] (0x0200): Dereferenced host group: darkjedi
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0
[hbac_get_category] (0x0200): Category is set to 'all'.
[get_ipa_groupname] (0x0020): Expected cn in RDN, got uid
[hbac_user_attrs_to_rule] (0x0020): 
[uid=slurm,cn=users,cn=accounts,dc=ipa,dc=mydomain,dc=org] does not map to 
either a user or group. Skipping
[hbac_get_category] (0x0200): Category is set to 'all'.
[hbac_get_category] (0x0200): Category is set to 'all'.
[get_ipa_groupname] (0x0020): Expected groups second component, got privileges
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got privileges
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected groups second component, got permissions
[get_ipa_groupname] (0x0020): Expected cn in RDN, got ipaUniqueID
[get_ipa_groupname] (0x0020): Expected cn in RDN, got ipaUniqueID
[hbac_evaluate] (0x0100): [< hbac_evaluate()
[hbac_evaluate] (0x0100): The rule [darkjedi-access] did not match.
[hbac_evaluate] (0x0100): ALLOWED by rule [Infrastructure].
[hbac_evaluate] (0x0100): hbac_evaluate() >]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [Infrastructure]
[dp_get_account_info_handler] (0x0200): Got request for 
[0x3][BE_REQ_INITGROUPS][1][name=myusern...@ipa.mydomain.org]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[dp_pam_handler] (0x0100): Got request with the following data
[pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION
[pam_print_data] (0x0100): domain: ipa.mydomain.org
[pam_print_data] (0x0100): user: myusern...@ipa.mydomain.org
[pam_print_data] (0x0100): service: sshd
[pam_print_data] (0x0100): tty: ssh
[pam_print_data] (0x0100): ruser:
[pam_print_data] (0x0100): rhost: myh...@mydomain.org
[pam_print_data] (0x0100): authtok type: 0
[pam_print_data] (0x0100): newauthtok type: 0
[pam_print_data] (0x0100): priv: 1
[pam_print_data] (0x0100): cli_pid: 183633
[pam_print_data] (0x0100): logon name: not set
[dp_get_account_info_handler] (0x0200): Got request for 
[0x3][BE_REQ_INITGROUPS][1][name=myusern...@ipa.mydomain.org]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=users,cn=ipa.mydomain.org,cn=sysdb
[dp_get_account_info_handler] (0x0200): Got request for 
[0x2][BE_REQ_GROUP][1][idnumber=1051800710]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=groups,cn=ipa.mydomain.org,cn=sysdb
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such 
object](32)[ldb_wait: No such object (32)]
[sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for 
name=myusern...@ipa.mydomain.org,cn=groups,cn=ipa.mydomain.org,cn=sysdb




[cid:image002.png@01D29E69.6E7C99E0]<http://www.swri.org/>

Jim Kilborn,  Principal Technical Specialist
Information Technology, Division 18
Southwest Research Institute
Office (210) 522-2739     jim.kilb...@swri.org


[cid:image004.png@01D29D66.A9B19BE0]<https://www.linkedin.com/company/southwest-research-institute>
 [cid:image005.png@01D29D66.A9B19BE0] 
<https://www.facebook.com/southwestresearch>  
[cid:image006.png@01D29D66.A9B19BE0] <https://www.youtube.com/user/SwRItv>  
[cid:image007.png@01D29D66.A9B19BE0] <https://twitter.com/swri>

Advanced science. Applied technology.




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to