I want to get some links to the relevant bugs into this old thread for the benefit of
anyone finding this thread in the archives...
> Currently if I do not set "ignore_group_members = True"
in sssd.conf,
> logins can take upwards of 6 minutes and "sssd_be" will max the CPU for
> up to 20 minutes after logon, which makes it a non-starter. The reason
> I want to allow group members to be seen is that I want certain domain
> groups to be able to perform elevated actions using polkit. If I ignore
> group members, polkit reports that the group is empty and so no one can
> elevate in the graphical environment.
I would say here polkit could be improved in addition to sssd. If
polkit
is calling getgr* to find if a user is a member of a certain group it's
neither going to be precise nor will that work on large environments.
Did you ask on a polkit list why it's evaluating membership in a group
with getgr*?
I think Polkit does this so that it can provide the authentication agent with a list of
users for the user to choose from.
There's this on sssd-devel:
https://lists.freedesktop.org/archives/polkit-devel/2016-November/000514.... and this in
Red Hat's Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1214026
And there's this Polkit issue:
https://gitlab.freedesktop.org/polkit/polkit/-/issues/24
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9