On Thursday, December 3, 2020, 01:32:32 PM EST, Sumit Bose <sbose@redhat.com> wrote:
On Thu, Dec 03, 2020 at 05:50:31PM +0000, Sanjay Agrawal wrote:
> resending
> Sanjay Agrawal
>
> On Wednesday, December 2, 2020, 03:41:36 PM EST, Sanjay Agrawal <
sanjayagrawal@yahoo.com> wrote:
>
> Hi,Â
>
> we are seeing an issue with newer version of sssd with centos 7.9 sssd version 1.16.5-10.el7_9.5.x86_64, where Initgroups is taking much longer compared to
> previous version. Can you please look into it. Following are details, including a sample program to reproduce the issue with old and new version.
>
> Sample Program: get_user_groups.py
> Â Â - it just call getgrouplist of a user supplied using libc
>
> Old env -
> OS Linux 3.10.0-1127.19.1.el7.x86_64 #1 SMP Wed Aug 26 11:48:49 BST 2020 x86_64 x86_64 x86_64 GNU/Linux
> SSSD Version   - 1.16.4-37.el7_8.4.x86_64
> Sample log file - sssd_nss-old.log
> Flamegraph    - flamgraph_sssd_nss-old.svg
> ID Â 879 'Initgroups by name'
testuser1@example>   starttime Tue Dec  1 18:36:42:092541 2020
>   endtime Tue Dec  1 18:36:42:124463 2020
> Â Â lookup_time 0.031922 sec
>
> New env
> OS Linux 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed Nov 18 22:40:48 GMT 2020 x86_64 x86_64 x86_64 GNU/Linux
> SSSD Version   - 1.16.5-10.el7_9.5.x86_64
> Sample log file - sssd_nss-new.log
> Flamegraph    - flamgraph_sssd_nss-new.svg
> ID Â 776 'Initgroups by name'
testuser1@example> Â Â starttime 2020-12-01 17:31:24:328419
> Â Â endtime 2020-12-01 17:31:24:451778
> Â Â lookup_time 0.123359 sec
>
>
> It seem to be due to addtional .1 second taken during following two trace (from sssd_nss-new.log)
> (2020-12-01 17:31:24:355458): [nss] [cache_req_done] (0x0400): CR #776: Finished: Success
> (2020-12-01 17:31:24:451727): [nss] [sysdb_search_group_by_id] (0x0400): No such entry
> (2020-12-01 17:31:24:451757): [nss] [nss_protocol_fill_initgr] (0x0080): Unable to find primary gid [2]: No such file or directory
>
> It may be related to following change, which seems to ref to sysdb_search_group_by_id
> nss: use real primary gid if the value is overriden · SSSD/
sssd@80e6f71Hi,
thanks for the analysis and I guess you might be right. The patch adds a
search where one attribute in the filter does not have an index. As a
result the search has to run over the whole cache.
I wonder if you would like to try to add such index? To do this please
stop SSSD and call:
ldbedit -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb -s base -b '@INDEXLIST'
which should open an editor showing something similar to
# editing 1 records
# record 1
dn: @INDEXLIST
@IDXATTR: cn
@IDXATTR: objectclass
@IDXATTR: member
@IDXATTR: memberof
@IDXATTR: name
@IDXATTR: uidNumber
@IDXATTR: gidNumber
@IDXATTR: lastUpdate
@IDXATTR: dataExpireTimestamp
@IDXATTR: originalDN
@IDXATTR: nameAlias
@IDXATTR: servicePort
@IDXATTR: serviceProtocol
@IDXATTR: sudoUser
@IDXATTR: sshKnownHostsExpire
@IDXATTR: objectSIDString
@IDXATTR: ghost
@IDXATTR: userPrincipalName
@IDXATTR: canonicalUserPrincipalName
@IDXATTR: uniqueID
@IDXATTR: mail
@IDXATTR: userMappedCertificate
@IDXATTR: ccacheFile
@IDXATTR: ipHostNumber
@IDXATTR: ipNetworkNumber
distinguishedName: @INDEXLIST
Please add in the @IDXATTR list a line
@IDXATTR: originalADgidNumber
and exit the editor, the databased will be reindexed at this point.
Finally start SSSD again and rerun the test.
HTH
bye,
Sumit
>
> |
> |
> |
> | | |
>
> |
>
> |
> |
> | |
> nss: use real primary gid if the value is overriden · SSSD/
sssd@80e6f71
>
> SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD because any possible override may not be k...
> |
>
> |
>
> |
>
>
>
>
>
> Sanjay Agrawal
> _______________________________________________
> sssd-users mailing list --
sssd-users@lists.fedorahosted.org> To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org_______________________________________________
sssd-users mailing list --
sssd-users@lists.fedorahosted.orgTo unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.orgFedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org