Re: [Freeipa-users] sssd doesn't cache, as it seems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Jakub, On 01/21/17 13:49, Jakub Hrozek wrote: > > Can you check what kind of query do you see in the LDAP server log? > The git server does just a few queries per hour: [21/Jan/2017:16:27:53.098932003 +0100] conn=8 op=39431 SRCH base="dc=example,dc=de" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/tisde8i005.ac.example...@example.de)(krbPrincipalName:caseIgnoreIA5Match:=host/tisde8i005.ac.example...@example.de)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Jan/2017:16:27:53.100196009 +0100] conn=8 op=39435 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [21/Jan/2017:16:27:53.100426687 +0100] conn=8 op=39436 SRCH base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs=ALL [21/Jan/2017:16:27:53.100658375 +0100] conn=8 op=39437 MOD dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" [21/Jan/2017:16:27:53.125278099 +0100] conn=9119 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" [21/Jan/2017:16:28:37.001050661 +0100] conn=9119 op=891 SRCH base="cn=accounts,dc=example,dc=de" scope=2 filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [21/Jan/2017:16:28:37.003968246 +0100] conn=9119 op=892 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [21/Jan/2017:16:28:37.006876504 +0100] conn=9119 op=894 SRCH base="cn=sudo,dc=example,dc=de" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn" [21/Jan/2017:16:42:47.447444525 +0100] conn=7 op=22424 SRCH base="dc=example,dc=de" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/tisde8i005.ac.example...@example.de))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Jan/2017:16:42:47.459190497 +0100] conn=9208 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" [21/Jan/2017:16:43:37.000841869 +0100] conn=9208 op=961 SRCH base="cn=accounts,dc=example,dc=de" scope=2 filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [21/Jan/2017:16:43:37.002362473 +0100] conn=9208 op=962 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [21/Jan/2017:16:43:37.005732600 +0100] conn=9208 op=964 SRCH base="cn=sudo,dc=example,dc=de" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))" attrs="objectClass cn
Re: [Freeipa-users] sssd doesn't cache, as it seems
> On 21 Jan 2017, at 06:46, Harald Dunkelwrote: > > On 01/20/17 18:42, Simo Sorce wrote: >> >> Is your server being used for authentication ? >> SSSD, by default, always refreshes user credentials on authentication, >> but you can use the cached_auth_timeout setting to relax this >> requirement in SSSD, and reduce the roundtrips for auth attempts. >> > > I have set both pam_id_timeout and cached_auth_timeout to 30. > No change, still several requests per second for each user. > > ??? > Harri > Can you check what kind of query do you see in the LDAP server log? Do the server logs correlate with debug logs from the nss and domain sections of sssd? Are you sure there is no other NSS module in nsswitch.conf other than files and sss? > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd doesn't cache, as it seems
On 01/20/17 18:42, Simo Sorce wrote: > > Is your server being used for authentication ? > SSSD, by default, always refreshes user credentials on authentication, > but you can use the cached_auth_timeout setting to relax this > requirement in SSSD, and reduce the roundtrips for auth attempts. > I have set both pam_id_timeout and cached_auth_timeout to 30. No change, still several requests per second for each user. ??? Harri [domain/example.de] debug_level = 0x0370 cache_credentials = True cached_auth_timeout = 30 krb5_store_password_if_offline = True ipa_domain = example.de id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = tisde8i005.ac.example.de chpass_provider = ipa ipa_server = _srv_, ipa1.example.de dns_discovery_domain = example.de selinux_provider = none [sssd] debug_level = 0x0370 services = nss, sudo, pam, ssh config_file_version = 2 domains = example.de [nss] debug_level = 0x0370 homedir_substring = /home [pam] pam_id_timeout = 30 debug_level = 0x0370 [sudo] [autofs] [ssh] debug_level = 0x0370 [pac] [ifp] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd doesn't cache, as it seems
On Fri, 2017-01-20 at 18:14 +0100, Harald Dunkel wrote: > Hi folks, > > I see a pretty large number of ldap requests sent by our git > server, asking for the same account info again and again. > Sometimes it asks 20 times per second for the same user info, > for example. > > Obviously caching doesn't work. Is your server being used for authentication ? SSSD, by default, always refreshes user credentials on authentication, but you can use the cached_auth_timeout setting to relax this requirement in SSSD, and reduce the roundtrips for auth attempts. HTH, Simo. > I remember some note in the > installation guide suggesting to turn of nscd and that sssd > takes over this job, so I wonder wth? A recent EMail in this > forum suggested to set selinux_provider = none, but this > didn't help. > > Ipa server is Centos 7.3, client is on Jessie with sssd 1.13.4. > > > sssd.conf is attached, of course. Every helpful comment is highly > appreciated. > > Harri > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sssd doesn't cache, as it seems
Hi folks, I see a pretty large number of ldap requests sent by our git server, asking for the same account info again and again. Sometimes it asks 20 times per second for the same user info, for example. Obviously caching doesn't work. I remember some note in the installation guide suggesting to turn of nscd and that sssd takes over this job, so I wonder wth? A recent EMail in this forum suggested to set selinux_provider = none, but this didn't help. Ipa server is Centos 7.3, client is on Jessie with sssd 1.13.4. sssd.conf is attached, of course. Every helpful comment is highly appreciated. Harri [domain/example.de] debug_level = 0x0370 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.de id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = tisde8i005.ac.example.de chpass_provider = ipa ipa_server = _srv_, ipa1.example.de dns_discovery_domain = example.de selinux_provider = none [sssd] debug_level = 0x0370 services = nss, sudo, pam, ssh config_file_version = 2 domains = example.de [nss] debug_level = 0x0370 homedir_substring = /home [pam] debug_level = 0x0370 [sudo] [autofs] [ssh] debug_level = 0x0370 [pac] [ifp] signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project