On Fri, Dec 15, 2017 at 03:16:29PM +1100, Tony Delov via FreeIPA-users wrote:
I've been having difficulties connecting a freeipa-client on
Ubuntu 16.06
LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD
server.
Ssh authentications are pretty slow, however, once I do get on, I find sudo
commands often do not work for several minutes saying I am not in the "not
in the sudoers file.". This is even though, I am in the same group on the
access.conf file and a sudoers file.
I think the initial slowness is due to the fact that our AD system has lots
of groups and I am part of many large groups with many users. I've been
checking the sssd cache file, and I can see that ssh authentication does
not even start until almost all groups I am a member of have been added to
the cache. However, that does not explain why sudo is being delayed as the
groups are already cached.
I think this might be due to sudo running a PAM transaction and
therefore SSSD preferring to be precise over fast and updating the
groups again.
There will be some performance enhancements coming in 7.5, but in the
meantime, I wonder if the hints at:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg...
would help?
Alternatively, some users restrict the groups they are a member of with
the help of:
https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.ht...