On Fri, Dec 15, 2017 at 03:16:29PM +1100, Tony Delov via FreeIPA-users wrote:
> I've been having difficulties connecting a freeipa-client on Ubuntu 16.06
> LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD
> server.
>
> Ssh authentications are pretty slow, however, once I do get on, I find sudo
> commands often do not work for several minutes saying I am not in the "not
> in the sudoers file.". This is even though, I am in the same group on the
> access.conf file and a sudoers file.
>
> I think the initial slowness is due to the fact that our AD system has lots
> of groups and I am part of many large groups with many users. I've been
> checking the sssd cache file, and I can see that ssh authentication does
> not even start until almost all groups I am a member of have been added to
> the cache. However, that does not explain why sudo is being delayed as the
> groups are already cached.
I think this might be due to sudo running a PAM transaction and
therefore SSSD preferring to be precise over fast and updating the
groups again.
There will be some performance enhancements coming in 7.5, but in the
meantime, I wonder if the hints at:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
would help?
Alternatively, some users restrict the groups they are a member of with
the help of:
https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html#use-case-1-filtering-users-from-a-specific-ou-in-a-trusted-active-directory-domain
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
