On Thu, Dec 03, 2020 at 05:50:31PM +0000, Sanjay Agrawal wrote:
resending Sanjay Agrawal
On Wednesday, December 2, 2020, 03:41:36 PM EST, Sanjay Agrawal <sanjayagrawal@yahoo.com> wrote:Hi,Â
we are seeing an issue with newer version of sssd with centos 7.9 sssd version 1.16.5-10.el7_9.5.x86_64, where Initgroups is taking much longer compared to previous version. Can you please look into it. Following are details, including a sample program to reproduce the issue with old and new version.
Sample Program: get_user_groups.py   - it just call getgrouplist of a user supplied using libc
Old env - OS Linux 3.10.0-1127.19.1.el7.x86_64 #1 SMP Wed Aug 26 11:48:49 BST 2020 x86_64 x86_64 x86_64 GNU/Linux SSSD Version   - 1.16.4-37.el7_8.4.x86_64 Sample log file - sssd_nss-old.log Flamegraph    - flamgraph_sssd_nss-old.svg ID  879 'Initgroups by name' testuser1@example   starttime Tue Dec  1 18:36:42:092541 2020   endtime Tue Dec  1 18:36:42:124463 2020   lookup_time 0.031922 sec
New env OS Linux 3.10.0-1160.6.1.el7.x86_64 #1 SMP Wed Nov 18 22:40:48 GMT 2020 x86_64 x86_64 x86_64 GNU/Linux SSSD Version   - 1.16.5-10.el7_9.5.x86_64 Sample log file - sssd_nss-new.log Flamegraph    - flamgraph_sssd_nss-new.svg ID  776 'Initgroups by name' testuser1@example   starttime 2020-12-01 17:31:24:328419   endtime 2020-12-01 17:31:24:451778   lookup_time 0.123359 sec
It seem to be due to addtional .1 second taken during following two trace (from sssd_nss-new.log) (2020-12-01 17:31:24:355458): [nss] [cache_req_done] (0x0400): CR #776: Finished: Success (2020-12-01 17:31:24:451727): [nss] [sysdb_search_group_by_id] (0x0400): No such entry (2020-12-01 17:31:24:451757): [nss] [nss_protocol_fill_initgr] (0x0080): Unable to find primary gid [2]: No such file or directory
It may be related to following change, which seems to ref to sysdb_search_group_by_id nss: use real primary gid if the value is overriden · SSSD/sssd@80e6f71
Hi,
thanks for the analysis and I guess you might be right. The patch adds a search where one attribute in the filter does not have an index. As a result the search has to run over the whole cache.
I wonder if you would like to try to add such index? To do this please stop SSSD and call:
ldbedit -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb -s base -b '@INDEXLIST'
which should open an editor showing something similar to
# editing 1 records # record 1 dn: @INDEXLIST @IDXATTR: cn @IDXATTR: objectclass @IDXATTR: member @IDXATTR: memberof @IDXATTR: name @IDXATTR: uidNumber @IDXATTR: gidNumber @IDXATTR: lastUpdate @IDXATTR: dataExpireTimestamp @IDXATTR: originalDN @IDXATTR: nameAlias @IDXATTR: servicePort @IDXATTR: serviceProtocol @IDXATTR: sudoUser @IDXATTR: sshKnownHostsExpire @IDXATTR: objectSIDString @IDXATTR: ghost @IDXATTR: userPrincipalName @IDXATTR: canonicalUserPrincipalName @IDXATTR: uniqueID @IDXATTR: mail @IDXATTR: userMappedCertificate @IDXATTR: ccacheFile @IDXATTR: ipHostNumber @IDXATTR: ipNetworkNumber distinguishedName: @INDEXLIST
Please add in the @IDXATTR list a line
@IDXATTR: originalADgidNumber
and exit the editor, the databased will be reindexed at this point. Finally start SSSD again and rerun the test.
HTH
bye, Sumit
| | | | | |
|
| | | | nss: use real primary gid if the value is overriden · SSSD/sssd@80e6f71
SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD because any possible override may not be k... |
|
|
Sanjay Agrawal
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...