[Freeipa-users] Needs help understand this timeout issue

Mon Jan 30 10:00:48 UTC 2017

Hi there 

I'm trying to debug on a strange IPA timeout issue. 

Its SSSD 1.14, IPA 4.4, RHEL 7.3. 
2 IPA servers in AD trust. 

Besides being a bit slow on groups membership lookups on users with a moderate number of Groups, there are some users with a HUGE amount of nested groups. 

A server just installed, thereby having clean cache: 

# time id shja 
id: shja: no such user 

real 0m12.107s 
user 0m0.000s 
sys 0m0.007s 

Hmm, lets try again: 

# sss_cache -E && systemctl restart sssd 

# time id shja 
id: shja: no such user 

real 0m58.016s 
user 0m0.001s 
sys 0m0.005s 

Hmm.. 

# sss_cache -E && systemctl restart sssd 

# time id shja 

...about 30% of the users Groups are returned.... 

real 5m16.840s 
user 0m0.010s 
sys 0m0.019s 

Next lookup is pretty fast and returns all Groups (about 730). 

# time id shja 

real 0m7.670s 
user 0m0.028s 
sys 0m0.066s 

A few questions. 

The first times id seems to bail out and report no such user after whet seems to be a random amount of time. 

Then is actually starts fetching groups it fetches a portion of the Groups, and the last try it fetches all groups. 

It looks like IPA is starting a thread running in backgroups, filling the cache and this continues after the failed lookup? 

Shouldn't SSSD be able to use the cache from the the SSSD on the IPA server? 

In this example the IPA server had full cache of the user and groups but the time it took to do the lookup indicates its still traversing the AD? 

sssd.conf is pretty default: 

full_name_format = %1$s 

set on SSSD client. 

On IPA server this is added (no full_name_format): 

ignore_group_members = True 
ldap_purge_cache_timeout = 0 
ldap_user_principal = nosuchattr 

subdomain_inherit = ldap_user_principal, ignore_group_members, ldap_purge_cache_timeout 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170130/00c359f1/attachment.htm>