Hello, I have a cluster of 6 FreeIPA servers in production that are connected to Active Directory cluster via the Active directory trust. The goal is to make users access linux VMs using their Active directory credentials. This workes fine for the majority of our servers, but lately we started to notice slow ssh authentication for Active Directory users. this is caused by, sometimes (I dont know when, or why) sssd is trying to enumerate all the users (or part of the users) on the AD and trying to update their group membership (below an example of the error message). Our freeIPA clients OS are Debian 9 + 10 + 11 and CentOS 7 + 8. This behavior was only noticed on Debian 11 (sssd version 2.4.1-2).
Below the error message: (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowmediaaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowhomepagelinks@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wsealertadministrators@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowcomputeraccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowdashboardaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=administrateurs de l'entreprise@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremoteaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremotewebaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowaddinaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowshareaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=administrateurs du schéma@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=cmp_wifi_admin@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=admins du domaine@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowmediaaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowhomepagelinks@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wsealertadministrators@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowcomputeraccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowdashboardaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremoteaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseremotewebaccessusers@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowaddinaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [sysdb_update_members_ex] (0x0020): Could not add member [xxxxxxxxxx@domain] to group [name=wseallowshareaccess@domain,cn=groups,cn=domain,cn=sysdb]. Skipping. (2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (2022-09-28 9:38:55): [be[ipa.transatel.net]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (2022-09-28 9:38:58): [be[ipa.transatel.net]] [ipa_pam_session_handler_get_deskprofile_user_info] (0x0020): sysdb_getpwnam() returned unexpected amount of users. Expected [1], got [0] (2022-09-28 9:38:58): [be[ipa.transatel.net]] [ipa_pam_session_handler_send] (0x0020): ipa_deskprofile_get_user_info() failed [22]: Invalid argument This is my sssd configuration file: [domain/ipa.company.net] timeout=30000 default_shell = /bin/bash override_shell = /bin/bash ipa_domain = ipa.company.net id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = dev-it-activiti-pa2-01.priv.company.net chpass_provider = ipa ipa_server = ipa-master-pa2-01.priv.company.net, ipa-replica-pa2-01.priv.company.net, ipa-replica-pa2-02.priv.company.net ipa_backup_server = ipa-replica-th2-01.priv.company.net, ipa-replica-th2-02.priv.company.net, ipa-master-th2-01.priv.company.net dns_discovery_domain = ipa.company.net krb5_use_enterprise_principal = True ldap_group_nesting_level = 0 [sssd] domains = ipa.company.net [nss] timeout=30000 homedir_substring = /home [pam] timeout=30000 [sudo] timeout=30000 [autofs] [ssh] timeout=30000 [pac] [ifp] [secrets] [session_recording] Important notice: I tried this option ldap_schema=rfc2307bis ignore_group_members = True ldap_group_nesting_level = 0 ldap_use_tokengroups = false It worked fine after clearing the cache and restarting the service, but few hours later the same behavior was reproduced. Any help with this please? Thanks ! _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
