[Freeipa-users] Needs help understand this timeout issue

Troels Hansen th at casalogic.dk
Tue Feb 28 08:39:19 UTC 2017 

Hi all....


Just wanted to follow up on this as I created a case with RedHat, and here is their findings, for all of you to share:

>From RedHat support:

----------------------

As per the current discussion with our engineering team.

---
The client requests info about a user. This goes to the IPA DS which calls into SSSD on the client which does a sequence of:
1) getgrouplist -> returns a list of GIDs the user is a member of
2) for gid in list_of_gids:
        getgrgid(gid)

now, the problem is that the getgrgid on the server doesn't go directly to the domain the GID comes from -- in the general case this is not possible, because at least in the case of POSIX GIDs set by the admin we don't know which domain the GID is from. So what happens instead is that we search all the subdomains in the order they are discovered. Observe here:
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [lx.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
 -- this is the NSS responder searching the IPA domain. This is very fast since the SSSD and the IPA server are on the same machine
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [place.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
 -- but here we are searching the place.dr.dk domain
(Mon Feb 27 09:27:29 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [net.dr.dk][0x2][BE_REQ_GROUP][1][idnumber=235088:-]
 -- then the net.dr.dk domain

I'm not sure we can do much in 7.3, unfortunately. But 7.4 will help in the sense that when the NSS responder is checking the caches and considering which back end server to contact, it would first loop over all the caches  and try to first see if this ID already belongs to some domain as kind of a hint and first try to check this domain. In other words, instead of checking cache-server, cache-server it would check cache, cache, then server, server.

The other thing is, the back end could also, if the domain uses algorithmic ID mapping, decide sooner if the ID comes from its domain (as I said earlier, it's not possible in the general case if the admin assigns the POSIX IDs). There, we could reconstruct the SID from the GID and if the SID comes from a different domain, just abort the request.
---

We will be opening bug based on our observation and update you further.



------------


So, this is an actual bug or maybe just not optimal design, but being made into an actual bug at RedHat.

More information about the Freeipa-users mailing list