On Thu, 2022-08-25 at 19:41 +0100, Sam Morris via FreeIPA-users wrote:
Interesting. After installing sssd on a fresh system there isn't an /etc/sssd/sssd.conf file. I guess ipa-client-install ultimately needs to make sure it's not enabling services that are already enabled via socket activation. Then again I don't know if having duplicates of these responders is actaully causing a problem or whether it just results in a bit of wasted memory and extra log messages.
I think it actually breaks sssd and prevents it or the responders from working properly. If I'm bored, I'll have to try it out again.
No problem. Ubuntu's login script is really idiotic and caused no end of pain for me & my users. But it seems no one is reading the bug reports...
It worked for me. This is awesome. Thanks again.
I took it to the next step and applied an ID View for an AD user to change the user's UID and GID. The user could no longer login and that group enumeration problem popped up again: sssd_idm.domain.com.log was spitting out groups and group members like it was before the change to /etc/bash.bashrc. I couldn't even look up the user anymore. I had to stop sssd, delete everything in /var/lib/sss/db/, unapply the ID View on the host and start sssd to get logins and user lookups working again. :/
You'll also want to tell sssd to not include group members when group info is looking up--that tweak also makes a huge difference the 1st time a user logs in. You want:
ignore_group_members = true subdomain_inherit = ignore_group_members
I did that on the masters. I believe it's helping, but the test Ubuntu 22 client is still slower than a CentOS 7 server I converted from NIS auth to a freeipa client.
BTW, I have 26 masters spread out all over the planet. I'm using ad sites and ipa locations to make sure clients aren't reaching out to sites that are far away. I don't know for sure if this setup is causing any issues, though so far it seems to be OK.