Re: [Freeipa-users] Why would /etc/passwd get skipped?
On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote: If this line is in /etc/nsswitch.conf: passwd: files sss Why would the user account from IPA get used when an identical one exists in /etc/passwd? We can tell because of some additional groups granted when authentication comes from IPA. If I shut down sssd, then login proceeds through /etc/passwd as expected, but as soon as I restart sssd, this behavior starts again. It's almost as if nsswitch.conf is being ignored or read right-to-left. Just another oddity I uncovered on one system as I was troubleshooting a particularly long ssh localhost and trying to rule things out. The initgroups call (done at authentication to find what groups a user is member of) by default traverses all databases, so if the same username is found in multiple databases the groups are added as well. There is actually a way to change this behavior, although it usually causes more issue than it resolves. You could try with: initgroups: files sss Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Why would /etc/passwd get skipped?
A. Then it's probably not the source of my performance problem. I know when I shut down SSSD, that user's ssh times speed up incredibly. Bret On 05/22/2014 01:06 PM, Simo Sorce wrote: On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote: If this line is in /etc/nsswitch.conf: passwd: files sss Why would the user account from IPA get used when an identical one exists in /etc/passwd? We can tell because of some additional groups granted when authentication comes from IPA. If I shut down sssd, then login proceeds through /etc/passwd as expected, but as soon as I restart sssd, this behavior starts again. It's almost as if nsswitch.conf is being ignored or read right-to-left. Just another oddity I uncovered on one system as I was troubleshooting a particularly long ssh localhost and trying to rule things out. The initgroups call (done at authentication to find what groups a user is member of) by default traverses all databases, so if the same username is found in multiple databases the groups are added as well. There is actually a way to change this behavior, although it usually causes more issue than it resolves. You could try with: initgroups: files sss Simo. smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Why would /etc/passwd get skipped?
On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote: A. Then it's probably not the source of my performance problem. I know when I shut down SSSD, that user's ssh times speed up incredibly. This makes me think it *is* initgroups, as it normally will hit sssd even for non-sssd owned users. But the issue here clearly is that sssd is slow for you, bad network ? Simo. Bret On 05/22/2014 01:06 PM, Simo Sorce wrote: On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote: If this line is in /etc/nsswitch.conf: passwd: files sss Why would the user account from IPA get used when an identical one exists in /etc/passwd? We can tell because of some additional groups granted when authentication comes from IPA. If I shut down sssd, then login proceeds through /etc/passwd as expected, but as soon as I restart sssd, this behavior starts again. It's almost as if nsswitch.conf is being ignored or read right-to-left. Just another oddity I uncovered on one system as I was troubleshooting a particularly long ssh localhost and trying to rule things out. The initgroups call (done at authentication to find what groups a user is member of) by default traverses all databases, so if the same username is found in multiple databases the groups are added as well. There is actually a way to change this behavior, although it usually causes more issue than it resolves. You could try with: initgroups: files sss Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Why would /etc/passwd get skipped?
Yep, that initgroups change had the same effect as shutting down sssd, but without inconveniencing all the IPA-only users. The problem in this particular case was made worse by a lot of network latency, but even on network segments local to the ipa masters, it's taking seconds to authenticate. This will help out the local accounts, at least. Now to keep working on those that aren't local. Thanks for that tip, Simo! On 05/22/2014 01:15 PM, Simo Sorce wrote: On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote: A. Then it's probably not the source of my performance problem. I know when I shut down SSSD, that user's ssh times speed up incredibly. This makes me think it *is* initgroups, as it normally will hit sssd even for non-sssd owned users. But the issue here clearly is that sssd is slow for you, bad network ? Simo. Bret On 05/22/2014 01:06 PM, Simo Sorce wrote: On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote: If this line is in /etc/nsswitch.conf: passwd: files sss Why would the user account from IPA get used when an identical one exists in /etc/passwd? We can tell because of some additional groups granted when authentication comes from IPA. If I shut down sssd, then login proceeds through /etc/passwd as expected, but as soon as I restart sssd, this behavior starts again. It's almost as if nsswitch.conf is being ignored or read right-to-left. Just another oddity I uncovered on one system as I was troubleshooting a particularly long ssh localhost and trying to rule things out. The initgroups call (done at authentication to find what groups a user is member of) by default traverses all databases, so if the same username is found in multiple databases the groups are added as well. There is actually a way to change this behavior, although it usually causes more issue than it resolves. You could try with: initgroups: files sss Simo. smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Why would /etc/passwd get skipped?
On Thu, May 22, 2014 at 01:22:28PM -0400, Bret Wortman wrote: Yep, that initgroups change had the same effect as shutting down sssd, but without inconveniencing all the IPA-only users. The problem in this particular case was made worse by a lot of network latency, but even on network segments local to the ipa masters, it's taking seconds to authenticate. This will help out the local accounts, at least. Now to keep working on those that aren't local. Thanks for that tip, Simo! Just as an additional tip for anyone else following this thread -- if you want to ignore certain local users from being queried in the SSSD backends, you can use the filter_users/filter_groups options. Their value defaults to 'root' so that we never fetch the root account from LDAP, but for example on my system I also include the 'pulse-rt' user.. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users