Re: [Freeipa-users] SSSD Cache and Service Tickets
On 2017-05-15 21:27, Jakub Hrozek wrote: [...] On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: Hi, I am confronted with a behaviour for which I do not have an explanation for. I am using NFS4 Kerberos automounted homeshares and and recently I got a permission denied (reproducible when I restart autofs on the server I want to connect to) from the Windows Domain. So here's what I tried: 1) Connected via PuTTY from a Windows Machine in the windows domain Kerberos-based login works but I get a "Permission Denied" on my home directory; klist shows no tickets No tickets at all? Not even an expired ticket? Unfortunately no tickets. Does running klist in cmd.exe show anything? Yes, it does: -bash-4.2$ klist klist: Credentials cache keyring 'persistent:1073895519:1073895519' not found And again... If I connect from my linux machine (within the ipa domain), tickets are there: -bash-4.2$ klist Ticket cache: KEYRING:persistent:1073895519:1073895519 Default principal: myu...@mywindowdomain.at Valid starting Expires Service principal 2017-05-16 11:29:04 2017-05-16 15:43:45 nfs/ipanfs.myipadomain...@myipadomain.at 2017-05-16 11:25:09 2017-05-16 15:43:45 krbtgt/mywindowdomain...@mywindowdomain.at renew until 2017-05-16 15:43:45 From this point on login from windows (AD domain) does - of course - work. Any ideas how to bring some light into this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD Cache and Service Tickets
First, I'm sorry if this mail is not helpful enough, I'm really just replying to the part I'm familiar with On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: > Hi, > > I am confronted with a behaviour for which I do not have an explanation for. > > I am using NFS4 Kerberos automounted homeshares and and recently I got a > permission denied (reproducible when I restart autofs on the server I want > to connect to) from the Windows Domain. So here's what I tried: > > 1) Connected via PuTTY from a Windows Machine in the windows domain > Kerberos-based login works but I get a "Permission Denied" on my home > directory; klist shows no tickets No tickets at all? Not even an expired ticket? Does running klist in cmd.exe show anything? > > 2) I try to connect form a Linux machine belonging to the IPA domain > Kerberos-based login works, I can also access my home directory; > klist shows nfs/ipanfs.ipadomain...@ipadomain.at and the krbtgt for the > windows domain > > 3) Now - of course - using the homeshares works from both domains windows > and ipa > > 4) When I do a kdestroy on the machine, using the homeshare when logged in > from windows still works - > My question is WHY? Does SSSD cache the NFS ticket? It does not. The only code in SSSD that caches anything Kerberos related is the KRB5CCNAME variable value. > (and why don't I get an nfs ticket when coming from the windows domain?) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSSD Cache and Service Tickets
Hi, I am confronted with a behaviour for which I do not have an explanation for. I am using NFS4 Kerberos automounted homeshares and and recently I got a permission denied (reproducible when I restart autofs on the server I want to connect to) from the Windows Domain. So here's what I tried: 1) Connected via PuTTY from a Windows Machine in the windows domain Kerberos-based login works but I get a "Permission Denied" on my home directory; klist shows no tickets 2) I try to connect form a Linux machine belonging to the IPA domain Kerberos-based login works, I can also access my home directory; klist shows nfs/ipanfs.ipadomain...@ipadomain.at and the krbtgt for the windows domain 3) Now - of course - using the homeshares works from both domains windows and ipa 4) When I do a kdestroy on the machine, using the homeshare when logged in from windows still works - My question is WHY? Does SSSD cache the NFS ticket? (and why don't I get an nfs ticket when coming from the windows domain?) Regards Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd cache
On Wed, Dec 5, 2012 at 3:29 PM, Simo Sorce wrote: > As a test to show why the cache is important do this: > > 1. Create a directory > 2. create 100 files in this dirctory > 3. chown each file to a different user and a different group each > 4. stop sssd, wipe cache file and restart > 5. do a ls -al of the directory > 6. wait 10 seconds > 7. do a second ls -al of the directory > > You should notice a difference in the time needed to run ls. I am convinced ;-) After deleting the cache it takes 43 secs to ls -la a dir. With cached info ls -la only takes a fraction of a second. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Wed, 2012-12-05 at 14:20 +0100, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership? > > Is the performance hit so huge on the ldap servers? Yes, and not only on servers, on the client too. > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. You can shorten the cache expiration time if you really need to, but going on the wire for each request is what we built SSSD to actually avoid. It is in fact not possible for SSSD to go straight to the wire. > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 I think this would make the cache never expire actually, the opposite of what you want to do. However you can set it to a very low value I guess, the consequence will be that your traffic and the time needed to resolve each entry will be higher, sometime much higher. > in sssd.conf? > > Thanks in advance for your input. As a test to show why the cache is important do this: 1. Create a directory 2. create 100 files in this dirctory 3. chown each file to a different user and a different group each 4. stop sssd, wipe cache file and restart 5. do a ls -al of the directory 6. wait 10 seconds 7. do a second ls -al of the directory You should notice a difference in the time needed to run ls. Now bring down the cache time down to 5 seconds and repeat the above procedure. Feel free to report your numbers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Wed, Dec 05, 2012 at 03:19:51PM +0100, Natxo Asenjo wrote: > On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek wrote: > > On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: > >> hi, > >> > >> why would I want sssd to cache group/hostgroup/netgroup membership? > >> > >> Is the performance hit so huge on the ldap servers? > >> > >> I ask this because Windows admins are used to apply membership of > >> groups to objects and the changes in a single site domain (or even in > >> a multisite domain with fast wan links) are replicated very fast, it > >> is nearly instantanous. So for those admins, having to wait x minutes > >> for the sssd cache to expire is, to put it mildly, strange. > >> > >> What are the consequences of disabling the cache with an entry like this: > >> > >> entry_cache_timeout = 0 > >> > >> in sssd.conf? > >> > >> Thanks in advance for your input. > > > > Feel free to tune down the cache timeout, it should just work. Speed > > benefits depend on your configuration, I guess. With large group > > memberships, the speed benefit of caching is quite visible. > > > > However, is it really that necessary to see the group memberships > > updated with "id" for instance? One reason is that during login, the SSS > > never just consults the cache, but always performs e.g. fetches the > > group list for the initgroups operation for the server to make sure that > > access control mechanisms have the latest group memberships available. > > is this the case too for hostgroups? I am bootstrapping an > infrastructure with ipa and cfengine and I am seeing that it caches > the hostgroups/netgroups information, so when I join a host to the ipa > realm, I need to empty the netgroup cache or it will take 90 minutes > to apply configs from cfengine based on netgroup info. > No, I'm afraid you'd hit the cache here. But in this case, as hostgroups are translated to netgroups and looked up as netgroups, you can use a separate timeout for netgroups only. See the parameter entry_cache_netgroup_timeout in man sssd.conf. > > So while lookups that only go through the Name Service Switch, such as > > getent or id might display outdated information for some limited period > > of time, authentication should never allow or deny access based on > > obsolete cached data. > > well, this is apparently the case for me. I use the netgroup database > from nss, so it is caching. Right.. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek wrote: > On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: >> hi, >> >> why would I want sssd to cache group/hostgroup/netgroup membership? >> >> Is the performance hit so huge on the ldap servers? >> >> I ask this because Windows admins are used to apply membership of >> groups to objects and the changes in a single site domain (or even in >> a multisite domain with fast wan links) are replicated very fast, it >> is nearly instantanous. So for those admins, having to wait x minutes >> for the sssd cache to expire is, to put it mildly, strange. >> >> What are the consequences of disabling the cache with an entry like this: >> >> entry_cache_timeout = 0 >> >> in sssd.conf? >> >> Thanks in advance for your input. > > Feel free to tune down the cache timeout, it should just work. Speed > benefits depend on your configuration, I guess. With large group > memberships, the speed benefit of caching is quite visible. > > However, is it really that necessary to see the group memberships > updated with "id" for instance? One reason is that during login, the SSS > never just consults the cache, but always performs e.g. fetches the > group list for the initgroups operation for the server to make sure that > access control mechanisms have the latest group memberships available. is this the case too for hostgroups? I am bootstrapping an infrastructure with ipa and cfengine and I am seeing that it caches the hostgroups/netgroups information, so when I join a host to the ipa realm, I need to empty the netgroup cache or it will take 90 minutes to apply configs from cfengine based on netgroup info. > So while lookups that only go through the Name Service Switch, such as > getent or id might display outdated information for some limited period > of time, authentication should never allow or deny access based on > obsolete cached data. well, this is apparently the case for me. I use the netgroup database from nss, so it is caching. Thanks, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership? > > Is the performance hit so huge on the ldap servers? > > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. > > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 > > in sssd.conf? > > Thanks in advance for your input. Feel free to tune down the cache timeout, it should just work. Speed benefits depend on your configuration, I guess. With large group memberships, the speed benefit of caching is quite visible. However, is it really that necessary to see the group memberships updated with "id" for instance? One reason is that during login, the SSS never just consults the cache, but always performs e.g. fetches the group list for the initgroups operation for the server to make sure that access control mechanisms have the latest group memberships available. So while lookups that only go through the Name Service Switch, such as getent or id might display outdated information for some limited period of time, authentication should never allow or deny access based on obsolete cached data. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On 12/05/2012 08:20 AM, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership? Going to the server for every identity lookup is very expensive and creates a lot of traffic. Some level of caching is needed to avoid unnecessary lookups. NSCD has been filling these shoes but SSSD does not work with NSCD. In 1.9 we added a similar fast cache on top of the SSSD caching. It is useful for the cases when OS level applications (and many of them do) do identity related lookups multiple times per second. It is up to your environment to decide for how long it makes sense to cache. Several seconds is probably a reasonable balance. > > Is the performance hit so huge on the ldap servers? > > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. > > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 I think you would significantly increase the response time and network traffic but I would leave to experts to confirm. > > in sssd.conf? > > Thanks in advance for your input. > > -- > Groeten, > natxo > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Fri, Nov 16, 2012 at 3:00 PM, Stephen Gallagher wrote: > Two points here. 1) sss_cache is moving to the main package in RHEL 6.4, so > you won't have to install the separate sssd-tools package for it. 2) You > might also look at the manpage for entry_cache_netgroup_timeout. If you want > to have a shorter timeout period for netgroups, you can set it individually > (starting with SSSD 1.8.0, IIRC). I'd suggest not setting it shorter than > 10s for performance reasons though. Thanks for the info. So the default entry_cache_timeout for all operations is 5400 seconds (90 minutes) and after that it queries again. Good to know. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
Hello On Fri, Nov 16, 2012 at 7:22 PM, Natxo Asenjo wrote: > hi, > > when running getent negroup I get old entries. > Apparently sssd is being helpful :-) and caching info, but it should > not do it when I am connected to the domain (IMHO). > > According to > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-cache.html > I can clean records with sss_cache, but this command is not available. > > Running yum whatprovides "*/sss_cache" finds nothing either. > sss_cache is shipped with sssd-tools package, which can be found in Red Hat Enterprise Linux Server optional or EPEL optional repository. I guess we have a bugzilla opened to move sssd-tools package to move in base channel, as of now you can Download it from optional channel > I ended up wiping the cache and restarting the sssd daemon to have it > working, but there should be another way I have missed. Do you have > any ideas? > > TIA. > -- > Groeten, > natxo > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Regards Arpit Tolani ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Fri 16 Nov 2012 08:56:59 AM EST, Natxo Asenjo wrote: On Fri, Nov 16, 2012 at 2:52 PM, Natxo Asenjo wrote: hi, when running getent negroup I get old entries. Apparently sssd is being helpful :-) and caching info, but it should not do it when I am connected to the domain (IMHO). According to https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-cache.html I can clean records with sss_cache, but this command is not available. ahem ... this is in sssd-tools, which is in the 2nd dvd iso which is not in my local mirror (just the first one). Sorry for the noise. Two points here. 1) sss_cache is moving to the main package in RHEL 6.4, so you won't have to install the separate sssd-tools package for it. 2) You might also look at the manpage for entry_cache_netgroup_timeout. If you want to have a shorter timeout period for netgroups, you can set it individually (starting with SSSD 1.8.0, IIRC). I'd suggest not setting it shorter than 10s for performance reasons though. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Fri, Nov 16, 2012 at 2:52 PM, Natxo Asenjo wrote: > hi, > > when running getent negroup I get old entries. > Apparently sssd is being helpful :-) and caching info, but it should > not do it when I am connected to the domain (IMHO). > > According to > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-cache.html > I can clean records with sss_cache, but this command is not available. ahem ... this is in sssd-tools, which is in the 2nd dvd iso which is not in my local mirror (just the first one). Sorry for the noise. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sssd cache
hi, when running getent negroup I get old entries. Apparently sssd is being helpful :-) and caching info, but it should not do it when I am connected to the domain (IMHO). According to https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-cache.html I can clean records with sss_cache, but this command is not available. Running yum whatprovides "*/sss_cache" finds nothing either. I ended up wiping the cache and restarting the sssd daemon to have it working, but there should be another way I have missed. Do you have any ideas? TIA. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD Cache
Thanks for the response. On Tue, Jun 29, 2010 at 18:57, Simo Sorce wrote: > SSSD will update the cache on any login that goes through PAM. > > Do you need a way to refresh specific user information it logs in ? Well I was looking to specifically refresh the groups that a user belonged to - I kept trying and even after 24hrs, the old information was still being returned. > If so, at the moment you can reset the cache by stopping SSSD and > deleting the appropriate file in /var/lib/sss/db and restarting SSSD. > The db file to be deleted has the domain name (as used in the sssd.conf > section tag) in the file name. This has worked, now the client reports that user belongs to the correct groups. It also appears to correctly refresh the cache when I login. I have added and removed my user from a few groups and this is correctly reflected by the results of the 'id' command. Maybe the cache was corrupted? Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD Cache
On Wed, 30 Jun 2010 15:39:48 -0400 Dan Scott wrote: > This has worked, now the client reports that user belongs to the > correct groups. It also appears to correctly refresh the cache when I > login. I have added and removed my user from a few groups and this is > correctly reflected by the results of the 'id' command. Ok this is the expected behavior. > Maybe the cache was corrupted? Unlikely, maybe your SSSD went offline and wasn't able to get back online for some reason until you restarted it ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD Cache
Simo Sorce wrote: > On Tue, 29 Jun 2010 16:51:39 -0400 > Dan Scott wrote: > > >> Hi, >> >> I'm using Fedora 13 with the new SSSD daemon (Which conflicts with the >> old nscd daemon). Does anyone know how to clear the cache of this >> service? >> >> I've added a user to a few groups and "id username" shows the correct >> groups on the FreeIPA server, but not on my client machine. I used to >> run "/etc/init.d/nscd reload" for nscd, but this does not appear to >> work for sssd. >> >> I've read through the SSSD howto: >> >> https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 >> >> but this does not mention clearing the cache - only how to set the >> cache timeouts. >> > > Dan, > SSSD will update the cache on any login that goes through PAM. > > Do you need a way to refresh specific user information it logs in ? > > If so, at the moment you can reset the cache by stopping SSSD and > deleting the appropriate file in /var/lib/sss/db and restarting SSSD. > The db file to be deleted has the domain name (as used in the sssd.conf > section tag) in the file name. > > Simo. > > ... and we already have a ticket to add this procedure to the documentation. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD Cache
On Tue, 29 Jun 2010 16:51:39 -0400 Dan Scott wrote: > Hi, > > I'm using Fedora 13 with the new SSSD daemon (Which conflicts with the > old nscd daemon). Does anyone know how to clear the cache of this > service? > > I've added a user to a few groups and "id username" shows the correct > groups on the FreeIPA server, but not on my client machine. I used to > run "/etc/init.d/nscd reload" for nscd, but this does not appear to > work for sssd. > > I've read through the SSSD howto: > > https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 > > but this does not mention clearing the cache - only how to set the > cache timeouts. Dan, SSSD will update the cache on any login that goes through PAM. Do you need a way to refresh specific user information it logs in ? If so, at the moment you can reset the cache by stopping SSSD and deleting the appropriate file in /var/lib/sss/db and restarting SSSD. The db file to be deleted has the domain name (as used in the sssd.conf section tag) in the file name. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SSSD Cache
Hi, I'm using Fedora 13 with the new SSSD daemon (Which conflicts with the old nscd daemon). Does anyone know how to clear the cache of this service? I've added a user to a few groups and "id username" shows the correct groups on the FreeIPA server, but not on my client machine. I used to run "/etc/init.d/nscd reload" for nscd, but this does not appear to work for sssd. I've read through the SSSD howto: https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 but this does not mention clearing the cache - only how to set the cache timeouts. Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
