Ok, i have this conf in EL7 envirement. sssd-1.12.2-58.el7.x86_64. In el7 sssd can work something out?

entry_cache_sudo_timeout is useful or do i need refresh_expired_interval?




Вторник, 21 июля 2015, 11:37 +02:00 от Jakub Hrozek <jhrozek@redhat.com>:

On Tue, Jul 21, 2015 at 12:29:39PM +0300, Евгений wrote:
> Hi :)
>
> 1) sssd in this thread is  -  sssd-1.11.6-30.el6_6.4.x86_64
> 2) sssd_nss.log:
>
> many,many requests...
> (sample)
>
> (Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [_hd_notice@domain.local]
> (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:_hd_notice@domain.local]
> (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.local][4097][1][name=_hd_notice]
> (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:_hd_notice@domain.local]
> Cant load all logs:)

Did you check how long a single group typically takes? Since you're
already using ignore_group_members, it should be pretty swift.

>
> So,problem is a user who has a lot of nested groups in AD. 
> 2) 
> If you're running a recent enough version, maybe the background refresh
> would be useful..
>
> refresh_expired_interval?

Yes, but you're running RHEL/CentOS 6.6, that's not recent enough,
sorry. The background refresh will be released in 6.7 (which is supposed
to be out Any Day Now)
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users