On 11 September 2017 at 12:23, John Beranek john@redux.org.uk wrote:
On 1 September 2017 at 15:54, Lukas Slebodnik lslebodn@redhat.com wrote:
On (01/09/17 09:33), William Edsall wrote:
Had a few communications with Michal but we're still stuck.
One issue is that we have dozens of domain controllers globally. A standard dns lookup could give me a domain controller overseas which will be slow, or maybe even a domain controller that isn't responding. As such, I have been inserting ad_server = x into the sssd.conf to improve performance.
I noticed that if I do not insert ad_server = x, I'm getting different results. My initial id request is very slow but seems to produce results. While searching, it seems to also be 'inserting' users into the users hash table - almost as if it's searching and inserting our entire user database? For example there are countless lines of the following: (Fri Sep 1 09:28:37 2017) [sssd[be[example.com]]] [sdap_nested_group_hash_insert] (0x4000): Inserting [CN=user_name,OU=bla,OU=bla Users,DC=dow,DC=com] into hash table [users]
As my initial id request returns, it seems to return several chunks of my group ids at once as if it's processing them individually and searching all users in that group (thus the above log entries).
Not sure if this helps or just muds up the issue but it's strange indeed.
You needn't hardcode ad_server. You can still rely on dns discovery. I assume you use sites in AD. So you can "pin" sssd to your local/nearest site with option ad_site.
I've got something to add to this, some behaviour we're seeing with CentOS 7 servers using sssd-ad.
Looking in logs for where it decided to connect to a backup DC, the best I can find is the following sort of errors (or at least things that look like errors) from sysdb lookups, followed by the new LDAP connection to the backup DC:
(Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sdap_save_groups] (0x0040): Failed to store group 1 members. (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=DL_RBA_SMBUsersFolders-ReadPerms@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=GG_UserAccountProvisioningAdmins@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=ITSupport@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=DL_RBA_SMBUsersFolders-ReadPerms@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=GG_UserAccountProvisioningAdmins@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=ITSupport@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [check_if_pac_is_available] (0x0040): find_user_entry failed. (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE_GC' (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.example.com' (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc07.example.com' in files (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc07.example.com' in files (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc07.example.com' in DNS (Mon Sep 11 04:37:15 2017) [sssd[be[EXAMPLE]]] [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached (Mon Sep 11 04:37:26 2017) [sssd[be[EXAMPLE]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it (Mon Sep 11 04:53:16 2017) [sssd[be[EXAMPLE]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE' (Mon Sep 11 04:53:16 2017) [sssd[be[EXAMPLE]]] [get_server_status] (0x0100): Hostname resolution expired, resetting the server status of 'dc01.example.com' (Mon Sep 11 04:53:16 2017) [sssd[be[EXAMPLE]]] [set_server_common_status] (0x0100): Marking server 'dc01.example.com' as 'name not resolved' (Mon Sep 11 04:53:16 2017) [sssd[be[EXAMPLE]]] [collapse_srv_lookup] (0x0100): Need to refresh SRV lookup for domain Howden._sites.example.com
John