Вторник, 28 июля 2015, 21:46 -07:00 от Ray Van Dolson <rvandolson@esri.com>:

On Tue, Jul 28, 2015 at 09:07:51PM -0700, Ray Van Dolson wrote:
> Actually, numerous things are slow (including logins), but the sudo
> example is quite easy to reproduce. Am new to SSSD so I'm assuming
> this is something I've misconfigured.
>
> Here's my config:
>
> [sssd]
> config_file_version = 2
> domains = domain.com
> services = nss, pam
> debug_level = 0
> override_space = _
>
> [nss]
> debug_level = 0
> override_shell = /bin/bash
> allowed_shells = /bin/bash, /bin/tcsh
> vetoed_shells = /bin/csh
> shell_fallback = /bin/bash
>
> [pam]
> debug_level = 0
>
> [domain/domain.com]
> debug_level = 0
> id_provider = ad
> ; access_provider = ad
> ; ad_access_filter = memberOf=CN=ISTUnix,DC=domain,DC=com
> access_provider = simple
> simple_allow_groups = istunix
> krb5_realm = DOMAIN.COM
> override_homedir = /home/%u
> ldap_referrals = false
>
> sudoers is fairly simple -- just defaults save for the following:
>
> %istunix ALL=(ALL) NOPASSWD: ALL
>
> However, when I run 'sudo su -' as a test, it can take 20+ seconds for
> it to succeed. Debug logs seem to show SSSD querying many groups. I
> can post debug logs if someone thinks they'll be useful -- but am
> hoping there's some obvious best practice I'm missing.

Found that I can solve this by using ignore_group_members = true. Not
sure what other impacts this might have, though. More reading...

Ray
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users