[Freeipa-users] sssd doesn't cache, as it seems
Harald Dunkel
harri at afaics.de
Sat Jan 21 16:15:58 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Jakub,
On 01/21/17 13:49, Jakub Hrozek wrote:
>
> Can you check what kind of query do you see in the LDAP server log?
>
The git server does just a few queries per hour:
[21/Jan/2017:16:27:53.098932003 +0100] conn=8 op=39431 SRCH base="dc=example,dc=de" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/tisde8i005.ac.example.de at EXAMPLE.DE)(krbPrincipalName:caseIgnoreIA5Match:=host/tisde8i005.ac.example.de at EXAMPLE.DE)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Jan/2017:16:27:53.100196009 +0100] conn=8 op=39435 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[21/Jan/2017:16:27:53.100426687 +0100] conn=8 op=39436 SRCH base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs=ALL
[21/Jan/2017:16:27:53.100658375 +0100] conn=8 op=39437 MOD dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:27:53.125278099 +0100] conn=9119 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:28:37.001050661 +0100] conn=9119 op=891 SRCH base="cn=accounts,dc=example,dc=de" scope=2 filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:28:37.003968246 +0100] conn=9119 op=892 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:28:37.006876504 +0100] conn=9119 op=894 SRCH base="cn=sudo,dc=example,dc=de" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[21/Jan/2017:16:42:47.447444525 +0100] conn=7 op=22424 SRCH base="dc=example,dc=de" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/tisde8i005.ac.example.de at EXAMPLE.DE))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Jan/2017:16:42:47.459190497 +0100] conn=9208 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:43:37.000841869 +0100] conn=9208 op=961 SRCH base="cn=accounts,dc=example,dc=de" scope=2 filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:43:37.002362473 +0100] conn=9208 op=962 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:43:37.005732600 +0100] conn=9208 op=964 SRCH base="cn=sudo,dc=example,dc=de" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[21/Jan/2017:16:57:41.203749166 +0100] conn=7 op=22574 SRCH base="dc=example,dc=de" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/tisde8i005.ac.example.de at EXAMPLE.DE)(krbPrincipalName:caseIgnoreIA5Match:=host/tisde8i005.ac.example.de at EXAMPLE.DE)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[21/Jan/2017:16:57:41.208535394 +0100] conn=7 op=22578 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[21/Jan/2017:16:57:41.209403021 +0100] conn=7 op=22579 SRCH base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs=ALL
[21/Jan/2017:16:57:41.210326182 +0100] conn=7 op=22580 MOD dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:57:41.255723384 +0100] conn=9305 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:58:37.000568448 +0100] conn=9305 op=1209 SRCH base="cn=accounts,dc=example,dc=de" scope=2 filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:58:37.002589641 +0100] conn=9305 op=1210 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:58:37.004729752 +0100] conn=9305 op=1212 SRCH base="cn=sudo,dc=example,dc=de" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
> Do the server logs correlate with debug logs from the nss and domain sections of sssd?
>
You are right: I misread the log file on the client.
> Are you sure there is no other NSS module in nsswitch.conf other than files and sss?
>
It said "files nis sss". Fixed.
Thanx for your help (and patience)
Regards
Harri
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEH2V614LbR/u1O+a1Cp4qnmbTgcsFAliDiTkACgkQCp4qnmbT
gct1lgf9Hpb0vsGDEFxdWwTu/K6Pmo+aQpFsbx9m0NmBffXUVhMIY/h6FNliIc6E
iNup62Agt4Gfa4hnGQ3BDH+nmjB7KsTIjVgI8sB2xyf++oV+qADKiFk5ERNVgcAb
dXgIfSjxuLZCRKAKy3xXkN+a6F/HEuxF89uX3YeMocSdrdEkfatkAFZjKnEc9uvN
MS7A+mcIiLI/dZsvPnQjEbUwBhPvRx90Aqo6RVBR6Gy2ToEN0zcDXm/nbNG2CHWN
egUIHnMoi9gMpX/xYgODPDgg1rRCLyDkwKGTC7iXf/ePOHTV8yj5EgONv1lQxk6X
s9mvR8wb1PmPmVWv10KCLRYw/Y5N/g==
=PTte
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list