[Freeipa-users] Why would /etc/passwd get skipped?

Bret Wortman bret.wortman at damascusgrp.com
Thu May 22 17:22:28 UTC 2014 

Yep, that initgroups change had the same effect as shutting down sssd, 
but without inconveniencing all the IPA-only users.

The problem in this particular case was made worse by a lot of network 
latency, but even on network segments local to the ipa masters, it's 
taking seconds to authenticate. This will help out the local accounts, 
at least. Now to keep working on those that aren't local.

Thanks for that tip, Simo!

On 05/22/2014 01:15 PM, Simo Sorce wrote:
> On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote:
>> Ahhhh. Then it's probably not the source of my performance problem. I
>> know when I shut down SSSD, that user's ssh times speed up incredibly.
> This makes me think it *is* initgroups, as it normally will hit sssd
> even for non-sssd owned users.
>
> But the issue here clearly is that sssd is slow for you, bad network ?
>
> Simo.
>
>> Bret
>>
>> On 05/22/2014 01:06 PM, Simo Sorce wrote:
>>> On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:
>>>> If this line is in /etc/nsswitch.conf:
>>>>
>>>> passwd: files sss
>>>>
>>>> Why would the user account from IPA get used when an identical one
>>>> exists in /etc/passwd? We can tell because of some additional groups
>>>> granted when authentication comes from IPA.
>>>>
>>>> If I shut down sssd, then login proceeds through /etc/passwd as
>>>> expected, but as soon as I restart sssd, this behavior starts again.
>>>> It's almost as if nsswitch.conf is being ignored or read
>>>> right-to-left.
>>>>
>>>> Just another oddity I uncovered on one system as I was troubleshooting
>>>> a
>>>> particularly long "ssh localhost" and trying to rule things out.
>>>>
>>> The initgroups call (done at authentication to find what groups a user
>>> is member of) by default traverses all databases, so if the same
>>> username is found in multiple databases the groups are added as well.
>>>
>>> There is actually a way to change this behavior, although it usually
>>> causes more issue than it resolves.
>>>
>>> You could try with: initgroups: files sss
>>>
>>> Simo.
>>>
>>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140522/79c3babd/attachment.p7s>

More information about the Freeipa-users mailing list