> Hi Jean-Baptiste, Hi Jakub,
> From the snippets you sent it indeed seems the UID is searched for. But > after one such search, the entry should be cached in the negative cache > and no requests towards the backend should be issued. Is it not the > case? From my point of view it is not. Here is a simple version of what I'm observing (I can reproduce it) : From the client : client $ getent passwd 1047 From the client, in another terminal : client $ tail -f /var/log/sssd/sssd_nss.log (Wed Sep 18 13:20:35 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Sep 18 13:20:35 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Sep 18 13:20:35 2013) [sssd[nss]] [nss_cmd_getpwuid_search] (0x0040): No matching domain found for [1047], fail! (Wed Sep 18 13:20:35 2013) [sssd[nss]] [client_recv] (0x0200): Client disconnected! On the ldap server (one line per sssd domain) : ldapserver $ tail -f /var/log/openldap/slapd.log|grep "uidNumber=1047"|grep 1047 Sep 18 13:22:00 pantero slapd[31421]: conn=387670 op=5 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(uidNumber=1047)(objectClass=posixAccount))" Sep 18 13:22:00 pantero slapd[31421]: conn=387671 op=5 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(uidNumber=1047)(objectClass=posixAccount))" Each time I issue a "getent passwd 1047" I've got those entries in the log. > btw for your case you might want to either increase the negative timeout > a bit or, Indeed. I just wanted to be explicit in the configuration to be sure of what I was testing >if the list of unresolvable UIDs is not long, filter them out > directly: > filter_users = root, 1047 Unfortunately, I don't know them in advance. Some precision : CentOS 6.4 with sssd 1.9.2. Here is my sssd.conf : [sssd] config_file_version = 2 services = nss, pam domains = home, ldap_home [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd override_shell = /bin/bash entry_negative_timeout = 15 debug_level = 0x02F0 [pam] [domain/home] override_homedir = /home/%u # comma separated list of users you want to honor their ldap homeDirectory (fallback to ldap_home) # filter_users = test ldap_tls_reqcert = demand auth_provider = ldap ldap_schema = rfc2307 ldap_search_base = ou=users,dc=example,dc=com ldap_group_search_base = ou=groups,dc=example,dc=com id_provider = ldap ldap_id_use_start_tls = True # We do not authorize password change chpass_provider = none ldap_uri = ldap://ldap.example.com/ cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_network_timeout = 3 # getent passwd will only list /etc/passwd, but id or getent passwd login will query ldap #enumerate = True ldap_page_size = 500 debug_level = 0x02F0 # exactly the same as domain/home, without the override_homedir # and the filter_users directive [domain/ldap_home] ldap_tls_reqcert = demand auth_provider = ldap ldap_schema = rfc2307 ldap_search_base = ou=users,dc=example,dc=com ldap_group_search_base = ou=groups,dc=example,dc=com id_provider = ldap ldap_id_use_start_tls = True # We do not authorize password change chpass_provider = none ldap_uri = ldap://ldap.example.com/ cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_network_timeout = 3 # getent passwd will only list /etc/passwd, but id or getent passwd login will query ldap #enumerate = True ldap_page_size = 500 debug_level = 0x02F0 _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
