Actually, numerous things are slow (including logins), but the sudo
example is quite easy to reproduce. Am new to SSSD so I'm assuming
this is something I've misconfigured.
Here's my config:
[sssd]
config_file_version = 2
domains =
domain.com
services = nss, pam
debug_level = 0
override_space = _
[nss]
debug_level = 0
override_shell = /bin/bash
allowed_shells = /bin/bash, /bin/tcsh
vetoed_shells = /bin/csh
shell_fallback = /bin/bash
[pam]
debug_level = 0
[
domain/domain.com]
debug_level = 0
id_provider = ad
; access_provider = ad
; ad_access_filter = memberOf=CN=ISTUnix,DC=domain,DC=com
access_provider = simple
simple_allow_groups = istunix
krb5_realm =
DOMAIN.COM
override_homedir = /home/%u
ldap_referrals = false
sudoers is fairly simple -- just defaults save for the following:
%istunix ALL=(ALL) NOPASSWD: ALL
However, when I run 'sudo su -' as a test, it can take 20+ seconds for
it to succeed. Debug logs seem to show SSSD querying many groups. I
can post debug logs if someone thinks they'll be useful -- but am
hoping there's some obvious best practice I'm missing.
Found that I can solve this by using ignore_group_members = true. Not
sure what other impacts this might have, though. More reading...
Ray