[SSSD-users] sudo very slow

Actually, numerous things are slow (including logins), but the sudo example is quite easy to reproduce. Am new to SSSD so I'm assuming this is something I've misconfigured. Here's my config: [sssd] config_file_version = 2 domains = domain.com services = nss, pam debug_level = 0 override_space = _ [nss] debug_level = 0 override_shell = /bin/bash allowed_shells = /bin/bash, /bin/tcsh vetoed_shells = /bin/csh shell_fallback = /bin/bash [pam] debug_level = 0 [domain/domain.com] debug_level = 0 id_provider = ad ; access_provider = ad ; ad_access_filter = memberOf=CN=ISTUnix,DC=domain,DC=com access_provider = simple simple_allow_groups = istunix krb5_realm = DOMAIN.COM override_homedir = /home/%u ldap_referrals = false sudoers is fairly simple -- just defaults save for the following: %istunix ALL=(ALL) NOPASSWD: ALL However, when I run 'sudo su -' as a test, it can take 20+ seconds for it to succeed. Debug logs seem to show SSSD querying many groups. I can post debug logs if someone thinks they'll be useful -- but am hoping there's some obvious best practice I'm missing. Side note that I kind of prefer using access_provider = ad above in tandem with ad_access_filter as it's 'faster' for most logins (once the info is cached it's faster). It seems that via the simple access provider, logins are slower (I think it queries all groups?). However, doesn't seem that ad_access_filter handles nested groups at all.... Thanks! Ray