[Freeipa-users] IPA - AD performance issue

Jakub Hrozek jhrozek at redhat.com
Mon Aug 31 11:36:36 UTC 2015 

On Mon, Aug 24, 2015 at 11:57:52AM +0000, Alexander Frolushkin wrote:
> Hello!
> We have a very large AD and IPA trusts with it.
> Every time user tries to login to client server, on corresponding IPA server we have a tons of messages like this:
> [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external group memberships even after all groups have been looked up on the LDAP server.(Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-1454471165-861567501-725345543-35701
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-1454471165-861567501-725345543-16206
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-1454471165-861567501-725345543-16153
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-1454471165-861567501-725345543-16152
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-23784
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-23767
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-23735
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-23451
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-23443
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-29286
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-15406
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-23771
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-37278
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-16991
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-43843
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-9271
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-35619
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-2201690096-3428534249-2815795581-38682
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545
> (Mon Aug 24 14:25:42 2015) [sssd[be[unix.ad.ru]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-574
> (Mon Aug 24 14:26:03 2015) [sssd[be[unix.ad.ru]]] [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external group memberships even after all groups have been looked up on the LDAP server.(Mon Aug 24 14:26:03 2015) [sssd[be[unix.ad.ru]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
> 
> This process seems to take significant time, and sometime ssh client even breaks connection with timeout.
> 
> Not sure is this a some kind of arch problem, or we have wrong settings somewhere.
> Just to mention, usually, this sid's is a indirect membership groups, local and does not affecting's any access rules for this user.

Hi,

what exact version are you running? There was a fix in RHEL-7.1.z that
increased performance with AD domains with POSIX attributes.

Here is also a post that talks about some workarounds wrt IPA-AD trust
performance setups:
    https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/

More information about the Freeipa-users mailing list