Re: [Freeipa-users] Another patch for ipa-sam: Excessive LDAP calls by ipa-sam during file operations
Hi, On 9 Mar 2014, at 19.22, Alexander Bokovoy wrote: > Good. I'll take that bug and will review your patch in my queue. It > will, perhaps, take some time as I have some load with stabilization > work for 3.3.x. Thanks. > Anyway, you are correct that we need a service principal to be allowed > to access it. In FreeIPA 4.0 (former 3.4) we'll have new permission > management system that should make these things easier and also SSSD > 1.12 is going to give us a bit more help with Samba -- there will be > talk by Sumit Bose at SambaXP in May. > I also plan to make packaging easier by creating a sub-package for > ipasam.so so that it could be installed on an IPA client, not only on a > server. Ideally, with a tool that sets up Samba like > ipa-adtrust-server does, complete with creating all principals and > permissions. Sounds excellent, thanks. I'l look out for the talk, for sure. If I see any other little issues I'll drop a line but all looks to be covered and in good hands. Keep up the good work! Jason. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Another patch for ipa-sam: Excessive LDAP calls by ipa-sam during file operations
On Sun, 09 Mar 2014, Jason Woods wrote: Hi, A follow up from previous email regarding my patch for ipa-sam to fix "valid users = " group references in the samba server that comes with ipa-server-trust-ad. (Found here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00045.html ) I noticed that ns-slapd CPU was excessive during multi-file copies (like a git repository with thousands of files.) Debug level 10 logs showed ipa-sam was performing multiple LDAP queries per file. One for the user and others for the groups. Specifically in order to perform gid/uid<->sid lookups. I've pre-empted and raised as a bug with a proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=1074314 It does a few things: 1. idmap caching so the ldap calls are significantly reduced 2. when gid lookup received for the primary user group (so where gid==uid), properly reflect behaviour of the initial lookup that happens during init by returning the Default SMB Group fallback group 3. don't bother ldap call for uidNumber=0 (root) - since it never will exist in FreeIPA according to my research My CPU for ns-slapd is now 0. And file copies are much better and more like normal. This seems to fix all issues for me at the moment - and I guess all what remains to do is extra features to make it more like the ldapsam. It also looks like all that is needed to get the ipa-sam.so to work without FreeIPA master local - is to allow the service principal access to the ipaNTHash attribute. However, I can't see any current aci referring to principals at the moment or even grouping of them into types - probably because I'm taking the wrong though-path - but if anyone would like to discuss this that would be great. Good. I'll take that bug and will review your patch in my queue. It will, perhaps, take some time as I have some load with stabilization work for 3.3.x. Anyway, you are correct that we need a service principal to be allowed to access it. In FreeIPA 4.0 (former 3.4) we'll have new permission management system that should make these things easier and also SSSD 1.12 is going to give us a bit more help with Samba -- there will be talk by Sumit Bose at SambaXP in May. I also plan to make packaging easier by creating a sub-package for ipasam.so so that it could be installed on an IPA client, not only on a server. Ideally, with a tool that sets up Samba like ipa-adtrust-server does, complete with creating all principals and permissions. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Another patch for ipa-sam: Excessive LDAP calls by ipa-sam during file operations
Hi, A follow up from previous email regarding my patch for ipa-sam to fix "valid users = " group references in the samba server that comes with ipa-server-trust-ad. (Found here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00045.html ) I noticed that ns-slapd CPU was excessive during multi-file copies (like a git repository with thousands of files.) Debug level 10 logs showed ipa-sam was performing multiple LDAP queries per file. One for the user and others for the groups. Specifically in order to perform gid/uid<->sid lookups. I've pre-empted and raised as a bug with a proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=1074314 It does a few things: 1. idmap caching so the ldap calls are significantly reduced 2. when gid lookup received for the primary user group (so where gid==uid), properly reflect behaviour of the initial lookup that happens during init by returning the Default SMB Group fallback group 3. don't bother ldap call for uidNumber=0 (root) - since it never will exist in FreeIPA according to my research My CPU for ns-slapd is now 0. And file copies are much better and more like normal. This seems to fix all issues for me at the moment - and I guess all what remains to do is extra features to make it more like the ldapsam. It also looks like all that is needed to get the ipa-sam.so to work without FreeIPA master local - is to allow the service principal access to the ipaNTHash attribute. However, I can't see any current aci referring to principals at the moment or even grouping of them into types - probably because I'm taking the wrong though-path - but if anyone would like to discuss this that would be great. Hope the patch helps! Thanks, Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
