Hello,
I have a cluster of 6 FreeIPA servers in production that are connected to Active Directory
cluster via the Active directory trust. The goal is to make users access linux VMs using
their Active directory credentials. This workes fine for the majority of our servers, but
lately we started to notice slow ssh authentication for Active Directory users. this is
caused by, sometimes (I dont know when, or why) sssd is trying to enumerate all the users
(or part of the users) on the AD and trying to update their group membership (below an
example of the error message).
Our freeIPA clients OS are Debian 9 + 10 + 11 and CentOS 7 + 8. This behavior was only
noticed on Debian 11 (sssd version 2.4.1-2).
Below the error message:
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowmediaaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowhomepagelinks@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wsealertadministrators@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowcomputeraccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowdashboardaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group [name=administrateurs de
l'entreprise@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseremoteaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseremotewebaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowaddinaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowshareaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group [name=administrateurs du
schéma@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=cmp_wifi_admin@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group [name=admins du
domaine@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowmediaaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowhomepagelinks@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wsealertadministrators@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowcomputeraccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowdashboardaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseremoteaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseremotewebaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowaddinaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could
not add member [xxxxxxxxxx@domain] to group
[name=wseallowshareaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040):
ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040):
ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040):
ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:58): [be[ipa.transatel.net]]
[ipa_pam_session_handler_get_deskprofile_user_info] (0x0020): sysdb_getpwnam() returned
unexpected amount of users. Expected [1], got [0]
(2022-09-28 9:38:58): [be[ipa.transatel.net]] [ipa_pam_session_handler_send] (0x0020):
ipa_deskprofile_get_user_info() failed [22]: Invalid argument
This is my sssd configuration file:
[
domain/ipa.company.net]
timeout=30000
default_shell = /bin/bash
override_shell = /bin/bash
ipa_domain =
ipa.company.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname =
dev-it-activiti-pa2-01.priv.company.net
chpass_provider = ipa
ipa_server =
ipa-master-pa2-01.priv.company.net,
ipa-replica-pa2-01.priv.company.net,
ipa-replica-pa2-02.priv.company.net
ipa_backup_server =
ipa-replica-th2-01.priv.company.net,
ipa-replica-th2-02.priv.company.net,
ipa-master-th2-01.priv.company.net
dns_discovery_domain =
ipa.company.net
krb5_use_enterprise_principal = True
ldap_group_nesting_level = 0
[sssd]
domains =
ipa.company.net
[nss]
timeout=30000
homedir_substring = /home
[pam]
timeout=30000
[sudo]
timeout=30000
[autofs]
[ssh]
timeout=30000
[pac]
[ifp]
[secrets]
[session_recording]
Important notice: I tried this option
ldap_schema=rfc2307bis
ignore_group_members = True
ldap_group_nesting_level = 0
ldap_use_tokengroups = false
It worked fine after clearing the cache and restarting the service, but few hours later
the same behavior was reproduced.
Any help with this please?
Thanks !