subject:"\[Freeipa\-users\] sssd doesn't cache, as it seems"

Re: [Freeipa-users] sssd doesn't cache, as it seems

2017-01-21 Thread Harald Dunkel

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Jakub,

On 01/21/17 13:49, Jakub Hrozek wrote:
> 
> Can you check what kind of query do you see in the LDAP server log?
> 

The git server does just a few queries per hour:

[21/Jan/2017:16:27:53.098932003 +0100] conn=8 op=39431 SRCH 
base="dc=example,dc=de" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/tisde8i005.ac.example...@example.de)(krbPrincipalName:caseIgnoreIA5Match:=host/tisde8i005.ac.example...@example.de)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge 
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType 
ipatokenRadiusConfigLink objectClass"
[21/Jan/2017:16:27:53.100196009 +0100] conn=8 op=39435 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber 
krbPrincipalName krbCanonicalName krbTicketPolicyReference 
krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript 
ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[21/Jan/2017:16:27:53.100426687 +0100] conn=8 op=39436 SRCH 
base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs=ALL
[21/Jan/2017:16:27:53.100658375 +0100] conn=8 op=39437 MOD 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:27:53.125278099 +0100] conn=9119 op=3 RESULT err=0 tag=97 
nentries=0 etime=0 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:28:37.001050661 +0100] conn=9119 op=891 SRCH 
base="cn=accounts,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" 
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:28:37.003968246 +0100] conn=9119 op=892 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:28:37.006876504 +0100] conn=9119 op=894 SRCH 
base="cn=sudo,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs 
ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser 
sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory 
ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[21/Jan/2017:16:42:47.447444525 +0100] conn=7 op=22424 SRCH 
base="dc=example,dc=de" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/tisde8i005.ac.example...@example.de))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Jan/2017:16:42:47.459190497 +0100] conn=9208 op=3 RESULT err=0 tag=97 
nentries=0 etime=0 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:43:37.000841869 +0100] conn=9208 op=961 SRCH 
base="cn=accounts,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" 
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:43:37.002362473 +0100] conn=9208 op=962 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:43:37.005732600 +0100] conn=9208 op=964 SRCH 
base="cn=sudo,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn

Re: [Freeipa-users] sssd doesn't cache, as it seems

2017-01-21 Thread Jakub Hrozek


> On 21 Jan 2017, at 06:46, Harald Dunkel  wrote:
> 
> On 01/20/17 18:42, Simo Sorce wrote:
>> 
>> Is your server being used for authentication ?
>> SSSD, by default, always refreshes user credentials on authentication,
>> but you can use the cached_auth_timeout setting to relax this
>> requirement in SSSD, and reduce the roundtrips for auth attempts.
>> 
> 
> I have set both pam_id_timeout and cached_auth_timeout to 30.
> No change, still several requests per second for each user.
> 
> ???
> Harri
> 

Can you check what kind of query do you see in the LDAP server log?

Do the server logs correlate with debug logs from the nss and domain sections 
of sssd?

Are you sure there is no other NSS module in nsswitch.conf other than files and 
sss?

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd doesn't cache, as it seems

2017-01-20 Thread Harald Dunkel

On 01/20/17 18:42, Simo Sorce wrote:
> 
> Is your server being used for authentication ?
> SSSD, by default, always refreshes user credentials on authentication,
> but you can use the cached_auth_timeout setting to relax this
> requirement in SSSD, and reduce the roundtrips for auth attempts.
> 

I have set both pam_id_timeout and cached_auth_timeout to 30.
No change, still several requests per second for each user.

???
Harri

[domain/example.de]
debug_level = 0x0370
cache_credentials = True
cached_auth_timeout = 30
krb5_store_password_if_offline = True
ipa_domain = example.de
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = tisde8i005.ac.example.de
chpass_provider = ipa
ipa_server = _srv_, ipa1.example.de
dns_discovery_domain = example.de
selinux_provider = none

[sssd]
debug_level = 0x0370
services = nss, sudo, pam, ssh
config_file_version = 2
domains = example.de

[nss]
debug_level = 0x0370
homedir_substring = /home

[pam]
pam_id_timeout = 30
debug_level = 0x0370

[sudo]

[autofs]

[ssh]
debug_level = 0x0370

[pac]

[ifp]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd doesn't cache, as it seems

2017-01-20 Thread Simo Sorce

On Fri, 2017-01-20 at 18:14 +0100, Harald Dunkel wrote:
> Hi folks,
> 
> I see a pretty large number of ldap requests sent by our git
> server, asking for the same account info again and again.
> Sometimes it asks 20 times per second for the same user info,
> for example.
> 
> Obviously caching doesn't work.

Is your server being used for authentication ?
SSSD, by default, always refreshes user credentials on authentication,
but you can use the cached_auth_timeout setting to relax this
requirement in SSSD, and reduce the roundtrips for auth attempts.

HTH,
Simo.

>  I remember some note in the
> installation guide suggesting to turn of nscd and that sssd
> takes over this job, so I wonder wth? A recent EMail in this
> forum suggested to set selinux_provider = none, but this
> didn't help.
> 
> Ipa server is Centos 7.3, client is on Jessie with sssd 1.13.4.
> 
> 
> sssd.conf is attached, of course. Every helpful comment is highly
> appreciated.
> 
> Harri
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sssd doesn't cache, as it seems

2017-01-20 Thread Harald Dunkel

Hi folks,

I see a pretty large number of ldap requests sent by our git
server, asking for the same account info again and again.
Sometimes it asks 20 times per second for the same user info,
for example.

Obviously caching doesn't work. I remember some note in the
installation guide suggesting to turn of nscd and that sssd
takes over this job, so I wonder wth? A recent EMail in this
forum suggested to set selinux_provider = none, but this
didn't help.

Ipa server is Centos 7.3, client is on Jessie with sssd 1.13.4.


sssd.conf is attached, of course. Every helpful comment is highly
appreciated.

Harri
[domain/example.de]
debug_level = 0x0370
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.de
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = tisde8i005.ac.example.de
chpass_provider = ipa
ipa_server = _srv_, ipa1.example.de
dns_discovery_domain = example.de
selinux_provider = none

[sssd]
debug_level = 0x0370
services = nss, sudo, pam, ssh
config_file_version = 2
domains = example.de

[nss]
debug_level = 0x0370
homedir_substring = /home

[pam]
debug_level = 0x0370

[sudo]

[autofs]

[ssh]
debug_level = 0x0370

[pac]

[ifp]



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd doesn't cache, as it seems

Re: [Freeipa-users] sssd doesn't cache, as it seems

Re: [Freeipa-users] sssd doesn't cache, as it seems

Re: [Freeipa-users] sssd doesn't cache, as it seems

[Freeipa-users] sssd doesn't cache, as it seems

5 matches

Site Navigation

Mail list logo

Footer information