Op 28 jan. 2016, om 01:48 heeft James Ralston
<ralston(a)pobox.com> het volgende geschreven:
Following up on an issue from a while ago…
On Thu, May 14, 2015 at 9:32 PM, Stephen Gallagher <sgallagh(a)redhat.com> wrote:
> [T]he SSSD developers are spending a moderate amount of time dealing
> with bugs in it [enumeration], first of all. Secondly, the
> limitations aren't really clearly spelled out. We probably need to
> expand the manpages to describe how poorly this feature works.
> Right now, it only describes the negative performance impact, but
> not the fact that it simply doesn't work in some environments.
> And the harm to leaving it enabled is that failures in the
> enumeration code are generally *silent* and therefore hard to debug.
> When an enumeration only completes partially, there's no way to
> know. If you have a system that is basing access control on a user
> being in (or not in) a particular group read through enumeration,
> then this may result in a security issue. (Example: you explicitly
> disallow members of the "untrusted" group from accessing sensitive
> machines. However, user jappleseed should be in this group, but
> enumeration didn't pick him up because of a peculiarity of
> cross-realm interaction. Now jappleseed has access to a sensitive
> machine. Ouch.)
After spending many months running with enumeration enabled, we
reached the conclusion that the cost of enumeration wasn't worth it,
and disabled it.
We didn't encounter any of the corner cases where enumeration doesn't
work, silently fails, returns incomplete group information, et. al.
But what we *did* notice is that sssd pounded the host when
enumeration was enabled, even if the host was otherwise idle. (We had
a non-trivial number of mostly-idle hosts where sssd had the most CPU
consumption of any service running on the system.)
While it is currently somewhat of a pain to perform iterative
enumeration (due to cache performance issues), for the handful of
hosts where we need to be enumerate all AD users and groups, it's
still a better alternative than enabling enumeration in sssd and
having it pound the hosts.
I wonder how this is done. In our case we have the requirement to list the users
that are enabled for a system. Currently, both “getent passwd” and “getent group”
do not show these users without enumeration. I don’t mind doing an iterative
approach from either side (ie. group or user), but how do I know these users/groups
beforehand so I have a starting position?