On 11 September 2017 at 12:23, John Beranek <j...@redux.org.uk> wrote: > On 1 September 2017 at 15:54, Lukas Slebodnik <lsleb...@redhat.com> wrote: >> >> On (01/09/17 09:33), William Edsall wrote: >> >Had a few communications with Michal but we're still stuck. >> > >> >One issue is that we have dozens of domain controllers globally. A standard >> >dns lookup could give me a domain controller overseas which will be slow, >> >or maybe even a domain controller that isn't responding. As such, I have >> >been inserting ad_server = x into the sssd.conf to improve performance. >> > >> >I noticed that if I do not insert ad_server = x, I'm getting different >> >results. My initial id request is very slow but seems to produce results. >> >While searching, it seems to also be 'inserting' users into the users hash >> >table - almost as if it's searching and inserting our entire user database? >> >For example there are countless lines of the following: >> >(Fri Sep 1 09:28:37 2017) [sssd[be[example.com]]] >> >[sdap_nested_group_hash_insert] (0x4000): Inserting >> >[CN=user_name,OU=bla,OU=bla Users,DC=dow,DC=com] into hash table [users] >> > >> >As my initial id request returns, it seems to return several chunks of my >> >group ids at once as if it's processing them individually and searching all >> >users in that group (thus the above log entries). >> > >> >Not sure if this helps or just muds up the issue but it's strange indeed. >> > >> You needn't hardcode ad_server. You can still rely on dns discovery. >> I assume you use sites in AD. So you can "pin" sssd to your local/nearest >> site >> with option ad_site. > > I've got something to add to this, some behaviour we're seeing with > CentOS 7 servers using sssd-ad.
Looking in logs for where it decided to connect to a backup DC, the best I can find is the following sort of errors (or at least things that look like errors) from sysdb lookups, followed by the new LDAP connection to the backup DC: (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sdap_save_groups] (0x0040): Failed to store group 1 members. (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=DL_RBA_SMBUsersFolders-ReadPerms@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=GG_UserAccountProvisioningAdmins@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=ITSupport@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=DL_RBA_SMBUsersFolders-ReadPerms@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=GG_UserAccountProvisioningAdmins@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Mon Sep 11 04:24:52 2017) [sssd[be[EXAMPLE]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=ITSupport@ad,cn=groups,cn=EXAMPLE,cn=sysdb (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [check_if_pac_is_available] (0x0040): find_user_entry failed. (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE_GC' (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.example.com' (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc07.example.com' in files (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc07.example.com' in files (Mon Sep 11 04:37:09 2017) [sssd[be[EXAMPLE]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc07.example.com' in DNS (Mon Sep 11 04:37:15 2017) [sssd[be[EXAMPLE]]] [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached (Mon Sep 11 04:37:26 2017) [sssd[be[EXAMPLE]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it (Mon Sep 11 04:53:16 2017) [sssd[be[EXAMPLE]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE' (Mon Sep 11 04:53:16 2017) [sssd[be[EXAMPLE]]] [get_server_status] (0x0100): Hostname resolution expired, resetting the server status of 'dc01.example.com' (Mon Sep 11 04:53:16 2017) [sssd[be[EXAMPLE]]] [set_server_common_status] (0x0100): Marking server 'dc01.example.com' as 'name not resolved' (Mon Sep 11 04:53:16 2017) [sssd[be[EXAMPLE]]] [collapse_srv_lookup] (0x0100): Need to refresh SRV lookup for domain Howden._sites.example.com John -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
