[Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Sullivan, Daniel [AAA] dsullivan2 at bsd.uchicago.edu
Mon Jul 18 11:56:24 UTC 2016 

Hi, Jakub,

In line with your performance tuning document referenced prior in this thread, I’ve actually already implemented the three configuration changes you specified (prior to identifying this issue).  Right now I am focusing on the use case documented below, because as of right now I am unable to get that user populated into a client cache with sssd 1.14, at all.  In other cases for individual users (prior to implementing tmpfs for example), it seemed like an initial lookup on a client failed, then subsequent lookups would succeed, presumably as a result of the DC eventually looking up and caching the user.  This user (the one I can’t seem to lookup on a client) is a member of a large number of groups, and also some of these groups have longer names with spaces and special characters in them (i.e. $ and . @)   I haven’t gone through and checked if one of these groups has a large number of users, primarily because I am able to lookup users that are members of groups with a large number of members (over 1000) already.  This is an actual group that this user is a member of, for example:

788658174(members of this group will have full mailbox access and send as rights to urbjobs at health.bsd.uchicago.edu<mailto:urbjobs at health.bsd.uchicago.edu> mailbox)

Right now my theory is that the @ in this group name is causing the lookup to fail, as it is used as a character to specify the actual domain of a trusted group, although that has yet to be verified.

NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5
IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1

Here is the full list of groups the user is a member of, from the output of the id command on a DC:

uid=339741696(hahsan at bsdad.uchicago.edu<mailto:hahsan at bsdad.uchicago.edu>) gid=339741696(hahsan at bsdad.uchicago.edu<mailto:hahsan at bsdad.uchicago.edu>) groups=339741696(hahsan at bsdad.uchicago.edu<mailto:hahsan at bsdad.uchicago.edu>),788655857(hsd$ kcbd 6260 conference room freebusy read at bsdad.uchicago.edu<mailto:read at bsdad.uchicago.edu>),788668882(phs phsapps remoteapp default apps at bsdad.uchicago.edu<mailto:apps at bsdad.uchicago.edu>),788670425(phs phsapps notepad2 users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788670429(phs phsapps cmd users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),339797692(cri-hpc_allusers at bsdad.uchicago.edu<mailto:cri-hpc_allusers at bsdad.uchicago.edu>),788670440(phs phsapps r v3.2.0 32-bit users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788672389(phs phsapps remote desktop users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788655856(hsd$ w230 conference room freebusy read at bsdad.uchicago.edu<mailto:read at bsdad.uchicago.edu>),788670441(phs phsapps r v3.2.0 64-bit users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788672413(phs phsapps r v3.2.3 64-bit users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788670431(phs phsapps file explorer users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788670428(phs phsapps adobe reader xi users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788609545(adm-trackitusers at bsdad.uchicago.edu<mailto:adm-trackitusers at bsdad.uchicago.edu>),788615356(hsd$ workstation local login at bsdad.uchicago.edu<mailto:login at bsdad.uchicago.edu>),339794097(cri-lmem_cri_users at bsdad.uchicago.edu<mailto:cri-lmem_cri_users at bsdad.uchicago.edu>),788670445(phs phsapps taskmgr users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788624309(hsd$ print at bsdad.uchicago.edu<mailto:print at bsdad.uchicago.edu>),788670436(phs phsapps notepadplusplus users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788654299(cri-all_groups at bsdad.uchicago.edu<mailto:cri-all_groups at bsdad.uchicago.edu>),788670434(phs phsapps notepad users at bsdad.uc
hicago.edu<mailto:users at bsdad.uchicago.edu>),788670438(phs phsapps plink 1.90 users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788670427(phs phsapps office access 2013 users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788655855(hsd$ w229 conference room freebusy read at bsdad.uchicago.edu<mailto:read at bsdad.uchicago.edu>),788635799(adm-sde-clients at bsdad.uchicago.edu<mailto:adm-sde-clients at bsdad.uchicago.edu>),788670439(phs phsapps office powerpoint 2013 user at bsdad.uchicago.edu<mailto:user at bsdad.uchicago.edu>),788610792(hsd$ all health studies at bsdad.uchicago.edu<mailto:studies at bsdad.uchicago.edu>),788655854(hsd$ n102 conference room freebusy read at bsdad.uchicago.edu<mailto:read at bsdad.uchicago.edu>),339793627(cri-galaxy_web_users at bsdad.uchicago.edu<mailto:cri-galaxy_web_users at bsdad.uchicago.edu>),788670444(phs phsapps statamp 14 users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),339792922(cri-all_users at bsdad.uchicago.edu<mailto:cri-all_users at bsdad.uchicago.edu>),788670442(phs phsapps rstudio users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788655852(hsd$ freebusy read for all conference rooms at bsdad.uchicago.edu<mailto:rooms at bsdad.uchicago.edu>),788600513(domain users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788670430(phs phsapps office excel 2013 users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788672414(phs phsapps r v3.2.3 32-bit users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),339800245(cri-ahsan_lab at bsdad.uchicago.edu<mailto:cri-ahsan_lab at bsdad.uchicago.edu>),788655034(fml$ n108 conference room freebusy read at bsdad.uchicago.edu<mailto:read at bsdad.uchicago.edu>),788670446(phs phsapps office word 2013 users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788670437(phs phsapps plink 1.07 users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788670443(phs phsapps sas 9.4 users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788610930(hsd$ proof point at bsdad.uchicago.edu<mailto:point at bsdad.uchicago.edu>),788670432(phs phsapps mmc users at bsdad
.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788670433(phs phsapps mobaxterm users at bsdad.uchicago.edu<mailto:users at bsdad.uchicago.edu>),788658174(members of this group will have full mailbox access and send as rights to urbjobs at health.bsd.uchicago.edu<mailto:urbjobs at health.bsd.uchicago.edu> mailbox)

I am not particularly well versed in deciphering IPA/NSS logs for SSSD, but at first review nothing is blaring, aside from these line in the NSS log, which doesn’t provide much good information:

Error: 3, 0, Account info lookup failed
Will try to return what we have in cache

My goal is to spend at least some time focusing on this today to try and further identify root cause of being unable to lookup this user.  I will report back if I find anything meaningful. In the meantime I would appreciate any advisement that could be provided.

Thank you for replying to me.

Best,

Dan Sullivan







On Jul 18, 2016, at 3:19 AM, Jakub Hrozek <jhrozek at redhat.com<mailto:jhrozek at redhat.com>> wrote:

On Fri, Jul 15, 2016 at 04:35:54PM +0000, Sullivan, Daniel [AAA] wrote:

Jakub,

Thank you for replying to me.  Before I forget I will say that I am still on sssd 1.13 on the domain controller; I didn’t upgrade it because I haven’t had any problems logging into that system yet.  That being said:

Thank you, but did this command return "No such user” ?

Yes.  Whenever this occurs "No such user" is the result from the id command executed on the client.

If it did, was the user cached previously (iow, was there a successfull
lookup before) ?

No, this is the first time the user has ever been looked up.  As far as I know the user has never been successfully entered into the cache.  Similarly, the user has never logged in to the IPA server via an SSSD client.

Ah, thank you, if the user has not been cached before, then it's
expected that the lookup has nothing to fall back to if the client fails
to look up information from the server.


Here is an example of a failed lookup from a client:

[root at cri-kcriwebgdp1 problem]# id hahsan
id: hahsan: No such user

The DC logs for this operation are
NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5
IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1

Thank you, I see that there is quite a lot of groups and the lookup
takes a bit of time. I wonder if any of the groups the user is a member
of are large?

If yes (and since moving the cache to tmpfs had helped), I wonder if
also using ignore_group_members would mitigate the issue further, like
this:

subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0

These would go into the domain section on the server itself.


********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 
********************************************************************************

More information about the Freeipa-users mailing list