Issue #3619: Enable local_negative_timeout by default - sssd

SSSD / sssd

#3619 Enable local_negative_timeout by default

Closed: Fixed 5 years ago Opened 6 years ago by jhrozek.

I think we could enable the local negative timeout by default. In case there is no files domain, there is no reason sssd should be looking up local users except the libc merging feature, but then the entry with the same name should exist in LDAP and the negative cache is only called if the entry is not found.

If the files domain is enabled, the entry would be found in the files domain and not saved to the negative cache.

I think a reasonable default should be a couple of hours.

lslebodn commented 6 years ago

IMHO we might also take an advantage of files domain and replace getpwnam_r/getgrnam_r with internal functions

https://pagure.io/SSSD/sssd/blob/master/f/src/responder/common/negcache_files.c#_44
https://pagure.io/SSSD/sssd/blob/master/f/src/responder/common/negcache_files.c#_62
https://pagure.io/SSSD/sssd/blob/master/f/src/responder/common/negcache_files.c#_86
https://pagure.io/SSSD/sssd/blob/master/f/src/responder/common/negcache_files.c#_104

jhrozek commented 6 years ago

Which internal function do you have in mind? The nss_ex_ API? When this feature was introduced, we considered dlopening nss_files and calling the functions directly. I don't know why we didn't go with this after all, but in general I agree that using the NSS API directly is a bit risky, because you never know what kind of malfunctioning module there might be.

lslebodn commented 6 years ago

On (18/01/18 12:21), Jakub Hrozek wrote:

Which internal function do you have in mind? The nss_ex_ API? When this feature was introduced, we considered dlopening nss_files and calling the functions directly. I don't know why we didn't go with this after all, but in general I agree that using the NSS API directly is a bit risky, because you never know what kind of malfunctioning module there might be.

I meant directly use sysdb internal function with files domain.

jhrozek commented 6 years ago

Ah, this would work, because the files domain enumerates. Good idea.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

6 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major

6 years ago

jhrozek commented 5 years ago

https://github.com/SSSD/sssd/pull/589

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

5 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR

5 years ago

fidencio commented 5 years ago

master:
9adc750

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

pbrezina commented 4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4640

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

jhrozek

Tags

Blocking

None

Depending on

None

Priority

major

Milestone

SSSD 1.16.2

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

None

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3619 Enable local_negative_timeout by default Closed: Fixed 5 years ago Opened 6 years ago by jhrozek.

Metadata

PR

#3619 Enable local_negative_timeout by default

Closed: Fixed 5 years ago Opened 6 years ago by jhrozek.