Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSSD freezes gnome-terminal #7797

Open
justin1703 opened this issue Jan 15, 2025 · 11 comments
Open

SSSD freezes gnome-terminal #7797

justin1703 opened this issue Jan 15, 2025 · 11 comments

Comments

@justin1703
Copy link

Hello :) ,

I am using SSSD version 2.9.4 on Ubuntu 24.04. I have the issue that sometimes when I open my Terminal it will just stay blank for a couple minutes and the sssd_domain.log will search for all users and groups in our domain. On a different device with Ubuntu 22.04 and SSSD version 2.6.3 the problem doesn't occur, sssd doesn't seem to search the whole domain and just enters the users command line.
We are using ad authentification and the problem happens every time when the cache is cleared but also randomly after even tho the cache is set to stay 90min. I can't check if the cache is empty at that point and I am not sure if there is a way to check that.

Thanks in advance for your help!

Here is my sssd-config:


[sssd]
debug_level = 2
config_file_version = 2
domains = our-domain
services = nss, pam, ifp, pac
enable_files_domain = false


[nss]
filter_users = root
filter_groups = root
enum_cache_timeout = 30
user_attributes = +loginShell, +unixHomeDirectory, +gecos, +uidNumber, +gidNumber, +SSHPublicKeys
fallback_homedir = /home/%u
default_shell = /bin/bash
ignore_group_members = false

[pam]
offline_credentials_expiration = 365
pam_id_timeout = 30

[ifp]
user_attributes = +loginShell, +unixHomeDirectory, +gecos, +uidNumber, +gidNumber, +gk-SSHPublicKeys

[pac]

[domain/local]
ad_domain = local
id_provider = files
use_fully_qualified_names = true
fallback_homedir = /home/%u
default_shell = /bin/bash

# For offline access
cache_credentials = true
entry_cache_timeout = 5400

[domain/our-domain]
debug_level = 9
dns_discovery_domain =  site._sites.dc._msdcs.our-domain
ldap_user_search_base = ou=Employees,ou=Benutzer,dc=our-domain
ldap_group_search_base = ou=Groups,ou=Benutzer,dc=our-domain

# Timeout
ldap_opt_timeout = 15       
ldap_search_timeout = 15  
ldap_network_timeout = 15    
timeout = 15      

# Domain auth
ad_domain = our-domain
id_provider = ad
auth_provider = ad
ldap_schema = ad
chpass_provider = ad
access_provider = ad
ad_enabled_domains = our-domain

# config sssd kerberos
krb5_store_password_if_offline = true
krb5_keytab=/etc/krb5.keytab
krb5_realm = our-domain
krb5_server = our-domain
krb5_auth_timeout = 30

# Don't use global catalog
ad_enable_gc = false

# For offline access
cache_credentials = true
entry_cache_timeout = 5400

# Turn off the global policy access
ad_gpo_access_control = disabled

# Turn off full user and group enumeration of ad
enumerate = false

# Let's trust our domain controllers to be fully replicated
ldap_referrals = false

# Defaults
default_shell = /bin/bash
fallback_homedir = /home/%u

# Define the domain SID for fixed Domainslot Calculation
ldap_idmap_default_domain_sid = S-1-5-21-1343024091-746137067-842925246

# Use POSIX UIDs and GIDs set on the AD side
ldap_id_mapping = true

# CN for public keys

# Use short usernames
use_fully_qualified_names = false

# We use static DNS for Linux
dyndns_update = false
dyndns_update_ptr = false

# enumerate groups
ignore_group_members = false
ldap_use_tokengroups = false

# Turn off login cache cleanup
ldap_purge_cache_timeout = 0

subdomain_enumerate = none
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout

# Turn off non-working features
enable_files_domain = false
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jan 15, 2025
edited
Loading

Hi.

ignore_group_members = false

Any reason you can't use 'true'?

@alexey-tikhonov
Copy link
Member

And why ldap_use_tokengroups = false?

@justin1703
Copy link
Author

I did change these values to true. But the issue still happens. Sometimes when I open up a new Terminal the sssd_domain.log will show a bunch of actions(debug level 9) which shows that he is searching for a bunch of stuff in the ad.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jan 16, 2025
edited
Loading

How large is the list of groups user is member of?

@justin1703
Copy link
Author

The user is in 34 Groups.

@alexey-tikhonov
Copy link
Member

34 groups and 'ignore_group_members = true' shouldn't be a reason of lags (if network connection is fine).

One needs to enable and inspect sssd logs.

@justin1703
Copy link
Author

Ok, I will take a closer look at the sssd.log. But I also have a question in relation to this topic. Is it normal that when I open a terminal that the sssd_domain.log makes so many requests? As already mentioned, this does not happen with Ubuntu 22.04 and SSSD 2.6.3. Just out of interest, I will post the log as soon as the problem occurs.

@alexey-tikhonov
Copy link
Member

sssd.log

sssd_$domain.log and sssd_nss.log

@justin1703
Copy link
Author

Hello, so I checked the logs and the nss.log seems to have the same issue every time this behavior appears. Its the following:

(2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1961: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1966: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1967: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1968: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1969: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1970: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1971: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1972: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1973: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1974: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:21): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1975: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:23): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1976: Data Provider Error: 1, 0, Group lookup failed (2025-01-20 11:21:23): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1977: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:23): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1978: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:23): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1979: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:23): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1984: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:23): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1990: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:23): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #1996: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:23): [nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#199] CR #2017: Could not get account info [1432158212]: SSSD is offline (2025-01-20 11:21:23): [nss] [cache_req_search_cache] (0x0020): [CID#199] CR #2041: Multiple objects were found when only one was expected!

The sssd offline appears even when the system itself is online.

@justin1703
Copy link
Author

note: this was after i cleared the cache with sss_cache -E. If the cache seems to be full i get the following message: (2025-01-20 13:22:00): [nss] [cache_req_search_cache] (0x0020): [CID#467] CR #4818: Multiple objects were found when only one was expected!

@alexey-tikhonov
Copy link
Member

Is this log what you called "the sssd_domain.log will search for all users and groups in our domain"?
Doesn't seem so.

Also log covers 2 seconds - this doesn't match "when I open my Terminal it will just stay blank for a couple minutes".

If you want to figure out the reason for "SSSD is offline" - look into domain log.

I tend to close this ticket.

It doesn't have any clear bug report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexey-tikhonov @justin1703