[Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

Jakub Hrozek jhrozek at redhat.com
Fri Mar 20 14:34:08 UTC 2015 

On Fri, Mar 20, 2015 at 09:41:08AM -0400, Gould, Joshua wrote:
> Updated:
>   libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1
>   libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1
>   libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
>   libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
>   libsss_nss_idmap-python.x86_64 0:1.12.2-58.el7_1.6.1
>   python-sssdconfig.noarch 0:1.12.2-58.el7_1.6.1
>   sssd.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-ad.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-client.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-common.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-common-pac.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-ipa.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-krb5.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-krb5-common.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-ldap.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-proxy.x86_64 0:1.12.2-58.el7_1.6.1
>   sssd-tools.x86_64 0:1.12.2-58.el7_1.6.1
> 
> 
> It¹s dramatically faster. Thank you!

Thank Sumit who identified the issue and wrote the patch :-)

btw if you have a RHEL subscription, it would be nice to open a customer
case so that it's easier for us to include the patch in RHEL given
customer testing experience. You can send the RHEL customer case number
to me.

> 
> Mar 20 09:38:46 mid-ipa-vp01 sshd[3081]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.234.49.39  user=gould
> Mar 20 09:38:46 mid-ipa-vp01 sshd[3081]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.234.49.39 user=gould
> Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: Accepted password for gould from
> 10.134.249.39 port 60170 ssh2
> Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: pam_unix(sshd:session): session
> opened for user gould by (uid=0)
> 
> 
> 
> On 3/20/15, 4:18 AM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:
> 
> >On Thu, Mar 19, 2015 at 05:29:39PM -0400, Gould, Joshua wrote:
> >> Thank you!
> >
> >You're welcome, please try these builds:
> >https://urldefense.proofpoint.com/v2/url?u=https-3A__jhrozek.fedorapeople.
> >org_sssd-2Dtest-2Dbuilds_sssd-2D7.1-2Dgr-2Drequest_&d=AwIBAg&c=k9MF1d71ITt
> >kuJx-PdWme51dKbmfPEvxwt8SFEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwo
> >jC24&m=Q_JEJ-95yaJpaXtkuLwVxfpPN9Dm_PXXZhd4bG1d0ZY&s=6dKxT6QZrN5FoquwdwM62
> >Y4GJFQ6QqWn6Y6aGj4CXIc&e=
> >
> >But please note that when POSIX attributes are requested, the lookups
> >will /always/ be slower. With ID mapping, we can do just a single
> >base-scoped lookup to retrieve the multi-valued tokenGroups attribute
> >and map the SIDs to IDs. With POSIX attributes, we must simply go to the
> >server for each group and look up the GID..
> 
>

More information about the Freeipa-users mailing list