On Thu, Jan 22, 2015 at 09:05:40PM +0100, Lukas Slebodnik wrote: > On (22/01/15 12:11), Orion Poplawski wrote: > >On 01/22/2015 09:00 AM, Lukas Slebodnik wrote: > >> On (21/01/15 11:22), Orion Poplawski wrote: > >>> On 01/06/2015 05:06 PM, Orion Poplawski wrote: > >>>> We're having some trouble with sssd on centos 7 under load on a VPS. > >>>> 389ds > >>>> ldap server for id/auth. Part may be an issue with the VPS, but I'm > >>>> trying to > >>>> track down all possible issues. > >>>> > >>>> Also, we realized that we were running in a bit of a bad state - the > >>>> primary > >>>> ldap server was not available, but the backup was. > >>> > >>>> Trouble: > >>>> (Tue Jan 6 22:30:31 2015) [sssd[be[default]]] > >>>> [sss_ldap_init_sys_connect_done] (0x0020): sdap_async_sys_connect > >>>> request failed. > >>>> (Tue Jan 6 22:30:31 2015) [sssd[be[default]]] [sdap_sys_connect_done] > >>>> (0x0020): sdap_async_connect_call request failed. > >>> > >>> I ended up filing https://fedorahosted.org/sssd/ticket/2562 as it seems > >>> like > >>> sssd's handling of the ldap connection is not ideal. > >>> > >> I checked strace log file and I can confirm you are right. > >> But I have no idea how to reproduce or fix it. > >> Output from strace is not sufficient. > >> > >> We would need to see sssd log files with high debug_level. > >> You mentined the most problematic part of VPS is I/0. > >> So increasing debug_level can just complicate situation. > > > >I'll see what I can do. > > > >> I can just give you an advice about *sync calls you mentioned in ticket. > >> > >> It is not visible in strace log but fdatasync() and msync() are used on > >> file > >> descriptor of sssd cache (/var/lib/sss/db/cache_*.ldb. They are used in > >> ldb/tdb > >> for transactions. > >> > >> If you do not need offline authentication you can mount tmpfs to directory > >> /var/lib/sss/db/. > >> > >> tmpfs /var/lib/sss/db/ tmpfs > >> size=300M,mode=0700,noauto,rootcontext=system_u:object_r:sssd_var_lib_t:s0 > >> 0 0 > > > >That is a good idea, thanks. Offline auth should work though unless the > >machine got rebooted, correct? > Yes, > I have correlation in my mind between offline authentication and use case on > laptop and it is usual to reboot laptop. > > To be precise offline authentication(pam) is not enabled by default > @see man sssd.conf -> cache_credentials
Please note the cache must be primed with the password hash while online before you can authenticate offline :-) _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
