[Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX
Jakub Hrozek
jhrozek at redhat.com
Fri Mar 20 14:34:08 UTC 2015
On Fri, Mar 20, 2015 at 09:41:08AM -0400, Gould, Joshua wrote:
> Updated:
> libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1
> libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1
> libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
> libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
> libsss_nss_idmap-python.x86_64 0:1.12.2-58.el7_1.6.1
> python-sssdconfig.noarch 0:1.12.2-58.el7_1.6.1
> sssd.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-ad.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-client.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-common.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-common-pac.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-ipa.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-krb5.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-krb5-common.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-ldap.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-proxy.x86_64 0:1.12.2-58.el7_1.6.1
> sssd-tools.x86_64 0:1.12.2-58.el7_1.6.1
>
>
> It¹s dramatically faster. Thank you!
Thank Sumit who identified the issue and wrote the patch :-)
btw if you have a RHEL subscription, it would be nice to open a customer
case so that it's easier for us to include the patch in RHEL given
customer testing experience. You can send the RHEL customer case number
to me.
>
> Mar 20 09:38:46 mid-ipa-vp01 sshd[3081]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.234.49.39 user=gould
> Mar 20 09:38:46 mid-ipa-vp01 sshd[3081]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.234.49.39 user=gould
> Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: Accepted password for gould from
> 10.134.249.39 port 60170 ssh2
> Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: pam_unix(sshd:session): session
> opened for user gould by (uid=0)
>
>
>
> On 3/20/15, 4:18 AM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:
>
> >On Thu, Mar 19, 2015 at 05:29:39PM -0400, Gould, Joshua wrote:
> >> Thank you!
> >
> >You're welcome, please try these builds:
> >https://urldefense.proofpoint.com/v2/url?u=https-3A__jhrozek.fedorapeople.
> >org_sssd-2Dtest-2Dbuilds_sssd-2D7.1-2Dgr-2Drequest_&d=AwIBAg&c=k9MF1d71ITt
> >kuJx-PdWme51dKbmfPEvxwt8SFEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwo
> >jC24&m=Q_JEJ-95yaJpaXtkuLwVxfpPN9Dm_PXXZhd4bG1d0ZY&s=6dKxT6QZrN5FoquwdwM62
> >Y4GJFQ6QqWn6Y6aGj4CXIc&e=
> >
> >But please note that when POSIX attributes are requested, the lookups
> >will /always/ be slower. With ID mapping, we can do just a single
> >base-scoped lookup to retrieve the multi-valued tokenGroups attribute
> >and map the SIDs to IDs. With POSIX attributes, we must simply go to the
> >server for each group and look up the GID..
>
>
More information about the Freeipa-users
mailing list