Actually, numerous things are slow (including logins), but the sudo
example is quite easy to reproduce. Am new to SSSD so I'm assuming
this is something I've misconfigured.
Here's my config:
[sssd]
config_file_version = 2
domains =
domain.com
services = nss, pam
debug_level = 0
override_space = _
[nss]
debug_level = 0
override_shell = /bin/bash
allowed_shells = /bin/bash, /bin/tcsh
vetoed_shells = /bin/csh
shell_fallback = /bin/bash
[pam]
debug_level = 0
[
domain/domain.com]
debug_level = 0
id_provider = ad
; access_provider = ad
; ad_access_filter = memberOf=CN=ISTUnix,DC=domain,DC=com
access_provider = simple
simple_allow_groups = istunix
krb5_realm =
DOMAIN.COM
override_homedir = /home/%u
ldap_referrals = false
sudoers is fairly simple -- just defaults save for the following:
%istunix ALL=(ALL) NOPASSWD: ALL
However, when I run 'sudo su -' as a test, it can take 20+ seconds for
it to succeed. Debug logs seem to show SSSD querying many groups. I
can post debug logs if someone thinks they'll be useful -- but am
hoping there's some obvious best practice I'm missing.
Side note that I kind of prefer using access_provider = ad above in
tandem with ad_access_filter as it's 'faster' for most logins (once the
info is cached it's faster). It seems that via the simple access
provider, logins are slower (I think it queries all groups?). However,
doesn't seem that ad_access_filter handles nested groups at all....
Thanks!
Ray