summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2015-07-22 15:34:32 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-07-27 19:01:26 +0200
commitda0eef19ac7b06ef84e29d0ee1506981eafda68e (patch)
tree63abe2a2c3e2aac3e181b25aea1f47766e345874
parent2bffccf990b08fb8ce1c72a0a5092053c8a06e12 (diff)
downloadsssd-review-negcache.tar.gz
sssd-review-negcache.tar.xz
sssd-review-negcache.zip
nss: use negative cache for sid-by-id requestsreview-negcache
Since requests by ID are not assized to a specific domain SSSD might check the ID in domains where the ID does not exists even if the ID is already in the sysdb cache of the right domain. For requests where already a memory cache is available like e.g. getpwuid() and getgrgid() this has no negative impact because the requests are answered directly from the cache most of the time without hitting SSSD. As long as there is no use-case which does not use the memory cache those requests do not need an update. But for request like sid-by-id where currently no memory cache is available there are quite some additional costs especially for trusted domains. Resolves https://fedorahosted.org/sssd/ticket/2731
-rw-r--r--src/responder/nss/nsssrv_cmd.c55
1 files changed, 55 insertions, 0 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 93c9bb81d..4505f2a99 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1087,6 +1087,7 @@ static void nss_cmd_getby_dp_callback(uint16_t err_maj, uint32_t err_min,
struct cli_ctx *cctx = cmdctx->cctx;
int ret;
bool check_subdomains;
+ struct nss_ctx *nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
if (err_maj) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -1135,8 +1136,40 @@ static void nss_cmd_getby_dp_callback(uint16_t err_maj, uint32_t err_min,
* here. */
switch (dctx->cmdctx->cmd) {
case SSS_NSS_GETPWUID:
+ ret = sss_ncache_set_uid(nctx->ncache, false, dctx->domain,
+ cmdctx->id);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Cannot set negative cache for UID %"PRIu32"\n",
+ cmdctx->id);
+ }
+ check_subdomains = true;
+ break;
case SSS_NSS_GETGRGID:
+ ret = sss_ncache_set_gid(nctx->ncache, false, dctx->domain,
+ cmdctx->id);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Cannot set negative cache for GID %"PRIu32"\n",
+ cmdctx->id);
+ }
+ check_subdomains = true;
+ break;
case SSS_NSS_GETSIDBYID:
+ ret = sss_ncache_set_uid(nctx->ncache, false, dctx->domain,
+ cmdctx->id);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Cannot set negative cache for UID %"PRIu32"\n",
+ cmdctx->id);
+ }
+ ret = sss_ncache_set_gid(nctx->ncache, false, dctx->domain,
+ cmdctx->id);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Cannot set negative cache for GID %"PRIu32"\n",
+ cmdctx->id);
+ }
check_subdomains = true;
break;
default:
@@ -4358,6 +4391,28 @@ static errno_t nss_cmd_getsidby_search(struct nss_dom_ctx *dctx)
if (cmdctx->cmd == SSS_NSS_GETSIDBYID) {
DEBUG(SSSDBG_TRACE_FUNC, "Requesting info for [%"PRIu32"@%s]\n",
cmdctx->id, dom->name);
+
+ ret = sss_ncache_check_uid(nctx->ncache, nctx->neg_timeout, dom,
+ cmdctx->id);
+ if (ret == EEXIST) {
+ ret = sss_ncache_check_gid(nctx->ncache, nctx->neg_timeout, dom,
+ cmdctx->id);
+ if (ret == EEXIST) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "ID [%"PRIu32"] does not exist in [%s]! (negative cache)\n",
+ cmdctx->id, dom->name);
+ /* if a multidomain search, try with next, including
+ * sub-domains */
+ if (cmdctx->check_next) {
+ dom = get_next_domain(dom, true);
+ continue;
+ }
+ /* There are no further domains. */
+ ret = ENOENT;
+ goto done;
+ }
+ }
+
} else {
talloc_free(name);
talloc_zfree(sysdb_name);