[Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

Jakub Hrozek jhrozek at redhat.com
Fri Mar 22 15:19:39 UTC 2013 

On Thu, Mar 21, 2013 at 09:57:50PM +0100, Jan-Frode Myklebust wrote:
> On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote:
> > 
> > I see several failures related to the SELinux processing:
> > -----------
> > (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
> > (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success]
> > (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.net]
> > (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.net]
> > -----------
> > 
> > "4" is an internal error code, it would manifest in your /var/log/secure
> > as "System Error".
> 
> No system errors are logged to /var/log/secure:
> 
> 	Mar 21 11:30:01 ipa1 CROND[1161]: pam_unix(crond:session): session closed for user root
> 	Mar 21 11:33:27 ipa1 sshd[1204]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.net'
> 	Mar 21 11:33:33 ipa1 sshd[1216]: pam_unix(sshd:session): session opened for user janfrode by (uid=0)
> 	Mar 21 11:33:39 ipa1 su: pam_unix(su-l:session): session opened for user root by janfrode(uid=15019)
> 
> > What state is SELinux on the client machine? Are there any AVC denials?
> 
> Selinux is in enforcing mode. No denials logged.
> 
> When upgrading to v2.2, and also when initializing a v2.2 replica we got
> the following error:
> 
> 	Applying LDAP updates
> 	ipa         : ERROR    Update failed: Object class violation: attribute "ipaSELinuxUserMapOrder" not allowed

Then maybe SSSD is tripping over the absence of the SELinux map order.
At least that's the way I read the SSSD code, it relies on the presence
of the ipaSELinuxUserMapOrder attribute.

What does:
$ ipa config-show --all --raw | grep -i selinux
say?

Does the problem go away if you set:
selinux_provider = none

In the config file in the domain section?

More information about the Freeipa-users mailing list