On Thu, Mar 05, 2015 at 07:58:01PM +0100, Sumit Bose wrote:
On Thu, Mar 05, 2015 at 09:42:08AM +0100, Sumit Bose wrote:
> On Thu, Mar 05, 2015 at 05:58:11AM +0000, Aviolat Romain wrote:
> > Thanks Lukas for the clarifications.
> >
> > You're right, I'm interested in authenticating against AD, I don't
need the group membership attributes. It seems to be the right solution to avoid the
caching of lots of groups on the FreeIPA side.
> >
> > If you have any idea how to solve this, don't hesitate.
>
> I got a similar report and I'm working on a patch which should reduce
> the time needed for authentication even with many group-memberships. I
> will prepare a test package when I'm done.
I made a package
(
http://koji.fedoraproject.org/koji/taskinfo?taskID=9143634) with a
first small patch which should reduce the number of initgroups requests.
Feel free to test it. I would recommend to set 'pam_id_timeout = 60' in
the [pam] section of sssd.conf to make full use of the patch.
There is a new package at
http://koji.fedoraproject.org/koji/taskinfo?taskID=9155406
This adds a fix for an issue I found in my testing which prevented some
groups to be saved into the cache and hence must be downloaded all the
time. Additionally it adds some debug code to see what causes the
sysdb_set_entry_attr() errors. Groups with those errors are not save to
the cache as well and must be downloaded again as well. Feel free to
forward logs with the results to me directly.
Additionally I found the following log/journal message while testing:
sshd[22668]: pam_systemd(sshd:session): Failed to create session: Connection timed out
which caused a 20s delay for the login. After I commented out
pam_systemd in the PAM configuration I got login time down to about 5s
for a user which is a member of 500 groups. Can you check if you see
similar log messages?
bye,
Sumit
bye,
Sumit
>
> Currently I'm not aware of a good option to tune this. Switching on
> enumeration on the IPA servers might help a bit with the usual drawbacks
> of enumeration.
>
> bye,
> Sumit
>
> >
> > Romain
> >
> > -----Original Message-----
> > From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik
> > Sent: mercredi 4 mars 2015 20:58
> > To: dpal(a)redhat.com; End-user discussions about the System Security Services
Daemon
> > Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
> >
> > On (04/03/15 14:29), Dmitri Pal wrote:
> > >On 03/04/2015 01:35 PM, Aviolat Romain wrote:
> > >>Hi there,
> > >>
> > >>I played again with the sssd.conf config file and I'm not 100% sure
that I'm configuring sssd correctly. I'm still trying to tell sssd to ignore the
SID mapping.
> > >>
> > >>I'm not sure if I should create multiple domains, one for the
freeIPA
> > >>domain and one for the ad domain and put specific options into them.
> > >>Like
> > >>
> > >>[domain/ad.mydomain2.net
> > >>ldap_group_nesting_level = 0
> > >>ignore_group_members = True
> > >>ldap_use_tokengroups = False
> > >>
> > >>[domain/domain1.com]
> > >>Options specific to the FreeIPA domain.
> > >>
> > >>I have also read that all the domains should be listed into the [sssd]
section.
> > >>
> > >>I can't find info about how to configure this file for multiple
domains, can someone point me to the right direction ?
> > >>
> > >>Thanks for your help
> > >>
> > >>Romain
> > >
> > >OK, If you use SSSD with IPA and IPA is in trust with AD then you just
> > >join client to IdM using realmd or ipa-client-install. In this case
> > >SSSD via configuration should know only about the domain it is joined
> > >to - the IPA one. The AD domains and forests are discovered dynamically
> > >and internally and do not require any configuration in the SSSD.conf
> > >
> > Romain already uses IPA with AD trust.
> >
> > The main problem is that user in his AD are members of many groups which causes
big delays when users try to authenticate.
> >
> > If I understant it correctly he is mainly interested in authentication against
AD and do not need all group membership.
> >
> > It would be possible to change it with options ldap_group_nesting_level,
ignore_group_members or ldap_use_tokengroups.
> > But I don't know how to change configuration in AD subdomain on sssd in ipa
server mode
> >
> > LS
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users(a)lists.fedorahosted.org
> >
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users(a)lists.fedorahosted.org
> >
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users