Hi All!
Work very well with sssd+ad provider, but sudo su - very slow working when running first time(running again <1sec), user1@host$ sudo su - ( slow ~ 8-15 sec).
user1 domain user - member of many groups (+300) in Active Directory.
/etc/sssd/sssd.conf:
[domain/default] cache_credentials = true ignore_group_members = true
[domain/domain.local] debug_level = 6 id_provider = ad ad_server = msa-dc13. domain.local, msk-dc11. domain.local ad_domain = domain.local ad_hostname = msa-mailsys1.domain.local override_homedir = /home/%u override_shell = /bin/bash ignore_group_members = true
# FILTER access_provider = simple simple_allow_groups = ROL-Linux-Admin
[sssd] services = nss, pam, sudo cache_credentials = true config_file_version = 2 domains = domain.local [nss] debug_level= 6 [pam]
[sudo] #debug_level = 9
In /var/log/sssd/sssd_nss.log more requesting to domain,when run sudo first time. Whether it is possible to cache operations with sudo or or some other way to get around there is the problem?
-- Eugene
On Tue, Jul 21, 2015 at 10:59:25AM +0300, Евгений wrote:
Hi All!
Work very well with sssd+ad provider, but sudo su - very slow working when running first time(running again <1sec), user1@host$ sudo su - ( slow ~ 8-15 sec).
user1 domain user - member of many groups (+300) in Active Directory.
/etc/sssd/sssd.conf:
[domain/default] cache_credentials = true ignore_group_members = true
[domain/domain.local] debug_level = 6 id_provider = ad ad_server = msa-dc13. domain.local, msk-dc11. domain.local ad_domain = domain.local ad_hostname = msa-mailsys1.domain.local override_homedir = /home/%u override_shell = /bin/bash ignore_group_members = true
# FILTER access_provider = simple simple_allow_groups = ROL-Linux-Admin
[sssd] services = nss, pam, sudo cache_credentials = true config_file_version = 2 domains = domain.local [nss] debug_level= 6 [pam]
[sudo] #debug_level = 9
In /var/log/sssd/sssd_nss.log more requesting to domain,when run sudo first time.
Yeah, I guess the groups are not cached the first time around.
What SSSD versions are you running?
Can you attach the nss and domain log so we can see what exactly is being requested? You're already using ignore_group_members which would be my guess..
If you're running a recent enough version, maybe the background refresh would be useful..
btw feel free to drop the [domain/default] section, it's not used anywhere..
Whether it is possible to cache operations with sudo or or some other way to get around there is the problem?
-- Eugene
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
OT: How comes sudo even works with the AD provider?? You need to extend AD schema right? Thanks,
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21 July 2015 10:08 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd+ad-provider + sudo slow
On Tue, Jul 21, 2015 at 10:59:25AM +0300, Евгений wrote:
Hi All!
Work very well with sssd+ad provider, but sudo su - very slow working when running first time(running again <1sec), user1@host$ sudo su - ( slow ~ 8-15 sec).
user1 domain user - member of many groups (+300) in Active Directory.
/etc/sssd/sssd.conf:
[domain/default] cache_credentials = true ignore_group_members = true
[domain/domain.local] debug_level = 6 id_provider = ad ad_server = msa-dc13. domain.local, msk-dc11. domain.local ad_domain = domain.local ad_hostname = msa-mailsys1.domain.local override_homedir = /home/%u override_shell = /bin/bash ignore_group_members = true
# FILTER access_provider = simple simple_allow_groups = ROL-Linux-Admin
[sssd] services = nss, pam, sudo cache_credentials = true config_file_version = 2 domains = domain.local [nss] debug_level= 6 [pam]
[sudo] #debug_level = 9
In /var/log/sssd/sssd_nss.log more requesting to domain,when run sudo first time.
Yeah, I guess the groups are not cached the first time around.
What SSSD versions are you running?
Can you attach the nss and domain log so we can see what exactly is being requested? You're already using ignore_group_members which would be my guess..
If you're running a recent enough version, maybe the background refresh would be useful..
btw feel free to drop the [domain/default] section, it's not used anywhere..
Whether it is possible to cache operations with sudo or or some other way to get around there is the problem?
-- Eugene
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Tue, Jul 21, 2015 at 09:08:21AM +0000, Ondrej Valousek wrote:
OT: How comes sudo even works with the AD provider?? You need to extend AD schema right? Thanks,
Yes: https://jhrozek.wordpress.com/2014/07/21/add-sudo-rules-to-active-directory-...
Wow, that's cool! :)
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21 July 2015 11:14 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd+ad-provider + sudo slow
On Tue, Jul 21, 2015 at 09:08:21AM +0000, Ondrej Valousek wrote:
OT: How comes sudo even works with the AD provider?? You need to extend AD schema right? Thanks,
Yes: https://jhrozek.wordpress.com/2014/07/21/add-sudo-rules-to-active-directory-... _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
I have "stolen" few bits from Jakub's blog to create a similar one about sssd & autofs & ad. It's here: https://ovalousek.wordpress.com/2015/08/03/autofs/
Hopefully someone will find it useful :)
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21 July 2015 11:14 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd+ad-provider + sudo slow
On Tue, Jul 21, 2015 at 09:08:21AM +0000, Ondrej Valousek wrote:
OT: How comes sudo even works with the AD provider?? You need to extend AD schema right? Thanks,
Yes: https://jhrozek.wordpress.com/2014/07/21/add-sudo-rules-to-active-directory-... _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Mon, Aug 03, 2015 at 01:01:06PM +0000, Ondrej Valousek wrote:
I have "stolen" few bits from Jakub's blog to create a similar one about sssd & autofs & ad. It's here: https://ovalousek.wordpress.com/2015/08/03/autofs/
Hopefully someone will find it useful :)
Thanks, this is pretty cool!
I've re-shared the blog post on our Google plus page.
On 08/11/2015 09:30 AM, Jakub Hrozek wrote:
On Mon, Aug 03, 2015 at 01:01:06PM +0000, Ondrej Valousek wrote:
I have "stolen" few bits from Jakub's blog to create a similar one about sssd & autofs & ad. It's here: https://ovalousek.wordpress.com/2015/08/03/autofs/
Hopefully someone will find it useful :)
Thanks, this is pretty cool!
I've re-shared the blog post on our Google plus page. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
to shamelessly thread-jack here, does anyone have a pointer for me, as to why $USER is not being expanded by autofs, when called from ldap? i have some direct maps working, but my indirect maps do not work as expected. i have tried $USER, ${USER} and {$USER} variations. i have tried putting it in the automountKey under auto.master, and in the automountKey under auto.indirect (which is called by the automountKey under auto.master) to no avail. any help would be appreciated.
brendan
Hi :)
1) sssd in this thread is - sssd-1.11.6-30.el6_6.4.x86_64 2) sssd_nss.log:
many,many requests... (sample)
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.local][4097][1][name=_hd_notice] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:_hd_notice@domain.local] Cant load all logs:)
So,problem is a user who has a lot of nested groups in AD. 2) If you're running a recent enough version, maybe the background refresh would be useful..
refresh_expired_interval?
Вторник, 21 июля 2015, 10:08 +02:00 от Jakub Hrozek jhrozek@redhat.com:
On Tue, Jul 21, 2015 at 10:59:25AM +0300, Евгений wrote:
Hi All!
Work very well with sssd+ad provider, but sudo su - very slow working when running first time(running again <1sec), user1@host$ sudo su - ( slow ~ 8-15 sec).
user1 domain user - member of many groups (+300) in Active Directory.
/etc/sssd/sssd.conf:
[domain/default] cache_credentials = true ignore_group_members = true
[domain/domain.local] debug_level = 6 id_provider = ad ad_server = msa-dc13. domain.local, msk-dc11. domain.local ad_domain = domain.local ad_hostname = msa-mailsys1.domain.local override_homedir = /home/%u override_shell = /bin/bash ignore_group_members = true
# FILTER access_provider = simple simple_allow_groups = ROL-Linux-Admin
[sssd] services = nss, pam, sudo cache_credentials = true config_file_version = 2 domains = domain.local [nss] debug_level= 6 [pam]
[sudo] #debug_level = 9
In /var/log/sssd/sssd_nss.log more requesting to domain,when run sudo first time.
Yeah, I guess the groups are not cached the first time around.
What SSSD versions are you running?
Can you attach the nss and domain log so we can see what exactly is being requested? You're already using ignore_group_members which would be my guess..
If you're running a recent enough version, maybe the background refresh would be useful..
btw feel free to drop the [domain/default] section, it's not used anywhere..
Whether it is possible to cache operations with sudo or or some other way to get around there is the problem?
-- Eugene
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Jul 21, 2015 at 12:29:39PM +0300, Евгений wrote:
Hi :)
- sssd in this thread is - sssd-1.11.6-30.el6_6.4.x86_64
2) sssd_nss.log:
many,many requests... (sample)
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.local][4097][1][name=_hd_notice] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:_hd_notice@domain.local] Cant load all logs:)
Did you check how long a single group typically takes? Since you're already using ignore_group_members, it should be pretty swift.
So,problem is a user who has a lot of nested groups in AD. 2) If you're running a recent enough version, maybe the background refresh would be useful..
refresh_expired_interval?
Yes, but you're running RHEL/CentOS 6.6, that's not recent enough, sorry. The background refresh will be released in 6.7 (which is supposed to be out Any Day Now)
Ok, i have this conf in EL7 envirement. sssd -1.12.2-58.el7.x86_64. In el7 sssd can work something out?
entry_cache_ sudo _timeout is useful or do i need refresh_expired_interval?
Вторник, 21 июля 2015, 11:37 +02:00 от Jakub Hrozek jhrozek@redhat.com:
On Tue, Jul 21, 2015 at 12:29:39PM +0300, Евгений wrote:
Hi :)
- sssd in this thread is - sssd-1.11.6-30.el6_6.4.x86_64
2) sssd_nss.log:
many,many requests... (sample)
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.local][4097][1][name=_hd_notice] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:_hd_notice@domain.local] Cant load all logs:)
Did you check how long a single group typically takes? Since you're already using ignore_group_members, it should be pretty swift.
So,problem is a user who has a lot of nested groups in AD. 2) If you're running a recent enough version, maybe the background refresh would be useful..
refresh_expired_interval?
Yes, but you're running RHEL/CentOS 6.6, that's not recent enough, sorry. The background refresh will be released in 6.7 (which is supposed to be out Any Day Now) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Tue, Jul 21, 2015 at 12:43:48PM +0300, Евгений wrote:
Ok, i have this conf in EL7 envirement. sssd -1.12.2-58.el7.x86_64. In el7 sssd can work something out?
No, sorry, also too old :-(
Upstream only gained this option in 1.12.5 (in 6.7 there is a backport): https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5
entry_cache_ sudo _timeout is useful or do i need refresh_expired_interval?
Here's another idea. If you run sudo periodically, you can tune the cache to be long enough and set entry_cache_nowait_percentage to apply so that the entry is returned from cache but refreshed on the background.
Did you check how long a single group typically takes? Since you're already using ignore_group_members, it should be pretty swift.
Ok, check it out.
Вторник, 21 июля 2015, 11:37 +02:00 от Jakub Hrozek jhrozek@redhat.com:
On Tue, Jul 21, 2015 at 12:29:39PM +0300, Евгений wrote:
Hi :)
- sssd in this thread is - sssd-1.11.6-30.el6_6.4.x86_64
2) sssd_nss.log:
many,many requests... (sample)
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.local][4097][1][name=_hd_notice] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:_hd_notice@domain.local] Cant load all logs:)
Did you check how long a single group typically takes? Since you're already using ignore_group_members, it should be pretty swift.
So,problem is a user who has a lot of nested groups in AD. 2) If you're running a recent enough version, maybe the background refresh would be useful..
refresh_expired_interval?
Yes, but you're running RHEL/CentOS 6.6, that's not recent enough, sorry. The background refresh will be released in 6.7 (which is supposed to be out Any Day Now) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Domain user with ~ +300 groups 1) sss_cache -E 2) login to ssh domain user and run sudo su - ( ~+10 sec)
Domain user with ~ 50 groups 1) sss_cache -E 2) login to ssh domain user and run sudo su - ( ~3-4 sec). (in the principles of tolerance)
what can be done in this version? :)
Вторник, 21 июля 2015, 11:37 +02:00 от Jakub Hrozek jhrozek@redhat.com:
On Tue, Jul 21, 2015 at 12:29:39PM +0300, Евгений wrote:
Hi :)
- sssd in this thread is - sssd-1.11.6-30.el6_6.4.x86_64
2) sssd_nss.log:
many,many requests... (sample)
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:_hd_notice@domain.local] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.local][4097][1][name=_hd_notice] (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:_hd_notice@domain.local] Cant load all logs:)
Did you check how long a single group typically takes? Since you're already using ignore_group_members, it should be pretty swift.
So,problem is a user who has a lot of nested groups in AD. 2) If you're running a recent enough version, maybe the background refresh would be useful..
refresh_expired_interval?
Yes, but you're running RHEL/CentOS 6.6, that's not recent enough, sorry. The background refresh will be released in 6.7 (which is supposed to be out Any Day Now) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Well, In my environment I've a single server that I've updated to 1.12.5, and timings I get are:
No cache: 2.87s Cache: 0.014s
Still a little painful. I will experiment with refresh_expired_interval...
John
On 21 July 2015 at 11:26, Евгений evgen787@mail.ru wrote:
Domain user with ~ +300 groups
- sss_cache -E
- login to ssh domain user and run sudo su - ( ~+10 sec)
Domain user with ~ 50 groups
- sss_cache -E
- login to ssh domain user and run sudo su - ( ~3-4 sec). (in the
principles of tolerance)
what can be done in this version? :)
Вторник, 21 июля 2015, 11:37 +02:00 от Jakub Hrozek jhrozek@redhat.com:
On Tue, Jul 21, 2015 at 12:29:39PM +0300, Евгений wrote:
Hi :)
- sssd in this thread is - sssd-1.11.6-30.el6_6.4.x86_64
- sssd_nss.log:
many,many requests... (sample)
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [_hd_notice@domain.local]
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x418850:1:_hd_notice@domain.local]
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg]
(0x0400): Creating request for [domain.local][4097][1][name=_hd_notice]
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send]
(0x0400): Entering request [0x418850:1:_hd_notice@domain.local]
Cant load all logs:)
Did you check how long a single group typically takes? Since you're already using ignore_group_members, it should be pretty swift.
So,problem is a user who has a lot of nested groups in AD. 2) If you're running a recent enough version, maybe the background refresh would be useful..
refresh_expired_interval?
Yes, but you're running RHEL/CentOS 6.6, that's not recent enough, sorry. The background refresh will be released in 6.7 (which is supposed to be out Any Day Now) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://e.mail.ru/compose?To=sssd%2dusers@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Brendan Kearney -
Jakub Hrozek -
John Beranek -
Ondrej Valousek -
Евгений