[Freeipa-users] Slow ipa performance -- why so many ldap lookups ?
Jan-Frode Myklebust
janfrode at tanso.net
Thu Mar 21 20:57:50 UTC 2013
On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote:
>
> I see several failures related to the SELinux processing:
> -----------
> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success]
> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.net]
> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.net]
> -----------
>
> "4" is an internal error code, it would manifest in your /var/log/secure
> as "System Error".
No system errors are logged to /var/log/secure:
Mar 21 11:30:01 ipa1 CROND[1161]: pam_unix(crond:session): session closed for user root
Mar 21 11:33:27 ipa1 sshd[1204]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.net'
Mar 21 11:33:33 ipa1 sshd[1216]: pam_unix(sshd:session): session opened for user janfrode by (uid=0)
Mar 21 11:33:39 ipa1 su: pam_unix(su-l:session): session opened for user root by janfrode(uid=15019)
> What state is SELinux on the client machine? Are there any AVC denials?
Selinux is in enforcing mode. No denials logged.
When upgrading to v2.2, and also when initializing a v2.2 replica we got
the following error:
Applying LDAP updates
ipa : ERROR Update failed: Object class violation: attribute "ipaSELinuxUserMapOrder" not allowed
so I suspect there are some problem with our LDAP schema. That might be
related to the "No SELinux user maps found" message.. I have a support
ticket open on this ipaSELinuxUserMapOrder-schema problem (00800931),
but not much progress there yet..
-jf
More information about the Freeipa-users
mailing list