Phase I of making GNOME ldap awesome complete!

From: Jeff Schroeder <jeffschroeder computer org>
To: Gnome Infrastructure List <gnome-infrastructure gnome org>
Subject: Phase I of making GNOME ldap awesome complete!
Date: Tue, 1 Feb 2011 22:41:57 -0800
In an effort to improve our ldap resiliency, I've went ahead and moved
all of our RHEL servers over to sssd[1]. You can find more info[2] at
a high level about sssd on the fedora wiki. We're using it to cache
ldap information locally.

For fellow sysadmins, a big change in this is that label now uses
ldap. I did have to manually modify the chkconfig line in
/etc/init.d/sssd to startup before slapd, but thats all. Whenever
slapd is down, it will read info from the sssd cache and all is well.

So that this hits the interwebs, here are a few tips on
troubleshooting and working with sssd:

1.) getent passwd user@LDAP
    [jschroeder@combobox ~]$ getent passwd jschroeder@LDAP
    jschroeder:*:7840:7840::/home/users/jschroeder:/bin/bash

LDAP is the name of the domain I configured for ldap access in
/etc/sssd/sssd.conf. user@LDAP is more of a convenience, but ensures
that it is actually information from LDAP if you're unsure. It works
with any nss group configured to use sssd such as group (getent group
gnomecvs@LDAP) as well.

2.) If you think something is negatively cached and want to apply a
swift kick to the head of sssd:
    service sssd stop
    \rm /var/lib/sss/db/*
    service sssd start

3.) Verify that sssd is actually enabled:
    [jschroeder@combobox ~]$ grep sss /etc/nsswitch.conf /etc/pam.d/system-auth
    /etc/nsswitch.conf:passwd:     files sss
    /etc/nsswitch.conf:group:      files sss
    /etc/pam.d/system-auth:auth        sufficient    pam_sss.so use_first_pass
    /etc/pam.d/system-auth:account     [default=bad success=ok
user_unknown=ignore] pam_sss.so
    /etc/pam.d/system-auth:password    sufficient    pam_sss.so use_authtok
    /etc/pam.d/system-auth:session     sufficient    pam_sss.so

    [root@combobox ~]# service sssd status
    sssd (pid  23914) is running...

4.) When sssd is broken and you want to figure out what exactly it is
doing OR you just want to be nosy and understand more about it:
    a.) Stop the background version of sssd
        # service sssd stop

    b.) Start it up in the foreground in full debugging mode
        # /sbin/logsave sssd-debug.log sssd -d5 -i

    c.) Stop the debug daemon and start system version back after making changes
        # Ctrl-c
        # service sssd start
    You can take the sssd-debug.log and send it to the sssd[1]
upstream developers via their mailinglist[3] or irc.freenode.net #sssd

Thats all for now folks! let me/gnome-infrastructure know if you have
any issues logging into gnome servers (that you had access to before)

[1] https://fedorahosted.org/sssd/
[2] http://fedoraproject.org/wiki/Features/SSSD
[3] https://fedorahosted.org/mailman/listinfo/sssd-devel

Here are a few examples of me testing the cache this evening when
migrating things over:
===============================================
[root@label ~]# time id jschroeder
uid=7840(jschroeder) gid=7840(jschroeder)
groups=7840(jschroeder),10(wheel),521(jabber),504(snowy),506(sysadmin),2186(gnomeweb),513(mailusers),524(foundation),70(avahi),525(gitadmin),501(accounts)

real	0m4.179s
user	0m0.002s
sys	0m0.004s
[root@label ~]# time id jschroeder
uid=7840(jschroeder) gid=7840(jschroeder)
groups=7840(jschroeder),10(wheel),521(jabber),504(snowy),506(sysadmin),2186(gnomeweb),513(mailusers),524(foundation),70(avahi),525(gitadmin),501(accounts)

real	0m0.012s
user	0m0.003s
sys	0m0.001s

[root@bugzilla-web ~]# time id jschroeder
uid=7840(jschroeder) gid=7840(jschroeder)
groups=7840(jschroeder),10(wheel),2186(gnomeweb),506(sysadmin),504(snowy),501(accounts),513(mailusers),70(avahi),525(gitadmin),524(foundation)

real	0m0.381s
user	0m0.000s
sys	0m0.000s
[root@bugzilla-web ~]# time id jschroeder
uid=7840(jschroeder) gid=7840(jschroeder)
groups=7840(jschroeder),10(wheel),2186(gnomeweb),506(sysadmin),504(snowy),501(accounts),513(mailusers),70(avahi),525(gitadmin),524(foundation)

real	0m0.012s
user	0m0.004s
sys	0m0.000s
[root@bugzilla-web ~]# time id jschroeder
uid=7840(jschroeder) gid=7840(jschroeder)
groups=7840(jschroeder),10(wheel),2186(gnomeweb),506(sysadmin),504(snowy),501(accounts),513(mailusers),70(avahi),525(gitadmin),524(foundation)

real	0m0.012s
user	0m0.000s
sys	0m0.000s
[root@bugzilla-web ~]# time id jschroeder
uid=7840(jschroeder) gid=7840(jschroeder)
groups=7840(jschroeder),10(wheel),2186(gnomeweb),506(sysadmin),504(snowy),501(accounts),513(mailusers),70(avahi),525(gitadmin),524(foundation)

real	0m0.012s
user	0m0.000s
sys	0m0.000s
[root@bugzilla-web ~]# getent passwd jschroeder@LDAP
jschroeder:*:7840:7840::/home/users/jschroeder:/bin/bash
[root@bugzilla-web ~]#
[root@combobox ~]# time groups jschroeder
jschroeder : jschroeder wheel snowy accounts mailusers gnomeweb
sysadmin avahi gitadmin foundation

real	0m0.246s
user	0m0.003s
sys	0m0.005s
[root@combobox ~]# time groups jschroeder
jschroeder : jschroeder wheel snowy accounts mailusers gnomeweb
sysadmin avahi gitadmin foundation

real	0m0.012s
user	0m0.002s
sys	0m0.004s
[root@combobox ~]# time groups jschroeder
jschroeder : jschroeder wheel snowy accounts mailusers gnomeweb
sysadmin avahi gitadmin foundation

real	0m0.012s
user	0m0.002s
sys	0m0.002s
===============================================

-- 
Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
Follow-Ups:
- Re: Phase I of making GNOME ldap awesome complete!
  - From: Olav Vitters
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]