On Fri, Dec 15, 2017 at 03:16:29PM +1100, Tony Delov via FreeIPA-users wrote: > I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 > LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD > server. > > Ssh authentications are pretty slow, however, once I do get on, I find sudo > commands often do not work for several minutes saying I am not in the "not > in the sudoers file.". This is even though, I am in the same group on the > access.conf file and a sudoers file. > > I think the initial slowness is due to the fact that our AD system has lots > of groups and I am part of many large groups with many users. I've been > checking the sssd cache file, and I can see that ssh authentication does > not even start until almost all groups I am a member of have been added to > the cache. However, that does not explain why sudo is being delayed as the > groups are already cached.
I think this might be due to sudo running a PAM transaction and therefore SSSD preferring to be precise over fast and updating the groups again. There will be some performance enhancements coming in 7.5, but in the meantime, I wonder if the hints at: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ would help? Alternatively, some users restrict the groups they are a member of with the help of: https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html#use-case-1-filtering-users-from-a-specific-ou-in-a-trusted-active-directory-domain _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org