Issue #9247: Slow ssh authentication due to sysdb_update_members_ex errors - freeipa

freeipa

#9247 Slow ssh authentication due to sysdb_update_members_ex errors

Closed: invalid 2 years ago by abbra. Opened 2 years ago by ahmedzk.

Hello,
I have a cluster of 6 FreeIPA servers in production that are connected to Active Directory cluster via the Active directory trust. The goal is to make users access linux VMs using their Active directory credentials. This workes fine for the majority of our servers, but lately we started to notice slow ssh authentication for Active Directory users. this is caused by, sometimes (I dont know when, or why) sssd is trying to enumerate all the users (or part of the users) on the AD and trying to update their group membership (below an example of the error message).
Our freeIPA clients OS are Debian 9 + 10 + 11 and CentOS 7 + 8. This behavior was only noticed on Debian 11 (sssd version 2.4.1-2).

Below the error message:
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowmediaaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowhomepagelinks@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wsealertadministrators@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowcomputeraccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowdashboardaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=administrateurs de l'entreprise@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremoteaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremotewebaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowaddinaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowshareaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=administrateurs du schéma@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=cmp_wifi_admin@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=admins du domaine@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowmediaaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowhomepagelinks@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wsealertadministrators@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowcomputeraccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowdashboardaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremoteaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremotewebaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowaddinaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowshareaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping.
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(2022-09-28 9:38:58): [be[ipa.transatel.net]] [ipa_pam_session_handler_get_deskprofile_user_info] (0x0020): sysdb_getpwnam() returned unexpected amount of users. Expected [1], got [0]
(2022-09-28 9:38:58): [be[ipa.transatel.net]] [ipa_pam_session_handler_send] (0x0020): ipa_deskprofile_get_user_info() failed [22]: Invalid argument

This is my sssd configuration file:

[domain/ipa.company.net]
timeout=30000
default_shell = /bin/bash
override_shell = /bin/bash
ipa_domain = ipa.company.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = dev-it-activiti-pa2-01.priv.company.net
chpass_provider = ipa
ipa_server = ipa-master-pa2-01.priv.company.net, ipa-replica-pa2-01.priv.company.net, ipa-replica-pa2-02.priv.company.net
ipa_backup_server = ipa-replica-th2-01.priv.company.net, ipa-replica-th2-02.priv.company.net, ipa-master-th2-01.priv.company.net
dns_discovery_domain = ipa.company.net
krb5_use_enterprise_principal = True
ldap_group_nesting_level = 0

[sssd]
domains = ipa.company.net

[nss]
timeout=30000
homedir_substring = /home

[pam]
timeout=30000
[sudo]
timeout=30000
[autofs]
[ssh]
timeout=30000
[pac]
[ifp]
[secrets]
[session_recording]

Important notice: I tried this option
ldap_schema=rfc2307bis
ignore_group_members = True
ldap_group_nesting_level = 0
ldap_use_tokengroups = false

It worked fine after clearing the cache and restarting the service, but few hours later the same behavior was reproduced.

Any help with this please?

Thanks !

abbra commented 2 years ago

This is a wrong place to file your operational issues. Please use freeipa-users@ mailing list for that. We keep this issue tracker for actual software defects.

Metadata Update from @abbra:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)

2 years ago

ahmedzk commented 2 years ago

Ok I'll do that, thanks !

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#9247 Slow ssh authentication due to sysdb_update_members_ex errors Closed: invalid 2 years ago by abbra. Opened 2 years ago by ahmedzk.

Metadata

#9247 Slow ssh authentication due to sysdb_update_members_ex errors

Closed: invalid 2 years ago by abbra. Opened 2 years ago by ahmedzk.