SSSD keeps retrieving LDAP groups while online, degrading performance (no matter what settings I try)
by Robert Wagensveld
Hi all,
We've been using SSSD for a while successfully in our Kerberos over LDAP enterprise environment. However, our SSSD online query time, especially over VPN, is very poor, usually each login request or sudo requests takes about 1 minute. There does not seem to be a way around it, not even forcing SSSD to use the cache for a while even when online again. entry_cache_timeout does not help. Is there anything I'm missing? Some configuration options I do not know about yet?
[sssd]
config_file_version = 2
services = nss, pam, ifp
domains = company.nl
debug_level = 9
[nss]
entry_cache_nowait_percentage = 5
filter_groups = root
filter_users = root
debug_level = 9
[pam]
offline_failed_login_attempts = 3
offline_failed_login_delay = 30
debug_level = 9
[domain/company.nl]
debug_level = 9
id_provider = ldap
ignore_group_members = true
auth_provider = krb5
chpass_provider = krb5
access_provider = permit
cache_credentials = true
min_id = 1000
entry_cache_timeout = 28800
krb5_realm = COMPANY.NL
krb5_canonicalize = false
krb5_renewable_lifetime = 24h
krb5_renew_interval = 6h
krb5_server = dc03.company.nl
krb5_store_password_if_offline = true
krb5_ccname_template = FILE:%d/krb5cc_%U
ldap_uri = ldap://dc03.company.nl
ldap_search_base = DC=Company,DC=nl
ldap_user_search_base = OU=CompanyCompany,DC=nl
ldap_group_search_base = OU=Company,DC=Company,DC=nl??
ldap_referrals = false
enumerate = false
ldap_force_upper_case_realm = true
ldap_schema = rfc2307bis
ldap_id_use_start_tls = false
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_sasl_canonicalize = true
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = gecos
ldap_user_shell = loginShell
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = nonExistingAttribute
ldap_group_object_class = group
ldap_group_name = cn
ldap_group_gid_number = gidNumber
ldap_group_member = member
2 years, 4 months
Samba filesharing, ssh and sssd
by Harald 11
Hello!
I am using sssd 2.4 with Debian 11.
I try to setup a samba server within a samba ads domain. I did several approches, sssd with ad and ldap configuration and samba with ad, sss and nss backend.
Basic setup with sssd went good, login via ssh works. UID and GID are well too But I do not get samba run well. Either my user can't access server and see shares, nor I can access shares but UID and GID are wrong.
Which way is best to get ssh and samba running with sssd?
2 years, 4 months