On Thu, Dec 19, 2013 at 11:42:54AM -0500, Dmitri Pal wrote:
I do not think it searches for sudo information. On every login SSSD
refreshes data about user and groups to be able to serve most recent
information about a user.
The volume of the searches is probably related to the resolution of the
nexted groups and group membership which indicates to me that you are
using LDAP back end rather than and AD back end for AD communication.
sssd.conf would be helpful to prove this theory.
If it is try then there are two issues:
a) Many lookups - switch to AD back end for that
b) sudo is not working - does it or you are just concerned about the noise?
Right, I also suspect the noise is due to initgroups or looking up other
information about the user or his groups. I suspect the latter, because
initgroups are really fast with ID mapping and in the log snippet I saw
a request by SID.
It would be nice to also see what's in the sssd_nss log, then we might
see what requests exactly come to the SSSD.