#3958 sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls
Closed: Fixed 7 months ago by jhrozek. Opened 7 months ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1672527

Description of problem:
In RHEL-7.6 mounting a CIFS share takes a long time (54s) to complete. The same
mount completes on a RHEL-7.5 system within 3s.

The machine uses SSSD and 'krb5' as 'auth' and 'chpass' provider.  The
/etc/krb5.conf contains a list of AD domain controllers.

It turns out that cifs.upcall interferes with the 'kdcinfo' file from the SSSD
locator plugin. When this file is in place and 'krb5_use_kdcinfo' is set to
'true' in sssd.conf (which is the default), we see unwanted krb5 kpasswd
packets going to the AD DC stored in the 'kdcinfo' file. Removing 'kdcinfo' or
setting 'krb5_use_kdcinfo' to 'false' resolves the issue.

Version-Release number of selected component (if applicable):
sssd-1.16.0-19.el7_5.8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure a RHEL-7.6 machine as AD client using SSSD with 'ldap' as identity
provider and 'krb5' as 'auth' and 'chpass' provider
2. Make sure /var/lib/sss/pubconf/kdcinfo.* exists and contains one of the AD
DC IP's
3. Mount an AD CIFS share using an AD account with krb5 security options

Actual results:
It takes very long for the mount to complete.

Expected results:
Mount completes immediately.

Additional info:

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1672527

7 months ago

The underlying reason for this issue is that if the kpasswdinfo file is created as well its content is used for the MIT specific master KDC lookup. But unfortunately the port number 464 is not replaced with the expected port number 88 for master KDCs.

Commit 05350ab relates to this ticket

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1

7 months ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

7 months ago

Metadata Update from @jhrozek:
- Issue assigned to sbose

7 months ago

Login to comment on this ticket.

Metadata