On (01/09/17 09:33), William Edsall wrote:
Had a few communications with Michal but we're still stuck.
One issue is that we have dozens of domain controllers globally. A standard
dns lookup could give me a domain controller overseas which will be slow,
or maybe even a domain controller that isn't responding. As such, I have
been inserting ad_server = x into the sssd.conf to improve performance.
I noticed that if I do not insert ad_server = x, I'm getting different
results. My initial id request is very slow but seems to produce results.
While searching, it seems to also be 'inserting' users into the users hash
table - almost as if it's searching and inserting our entire user database?
For example there are countless lines of the following:
(Fri Sep 1 09:28:37 2017) [sssd[be[example.com]]]
[sdap_nested_group_hash_insert] (0x4000): Inserting
[CN=user_name,OU=bla,OU=bla Users,DC=dow,DC=com] into hash table [users]
As my initial id request returns, it seems to return several chunks of my
group ids at once as if it's processing them individually and searching all
users in that group (thus the above log entries).
Not sure if this helps or just muds up the issue but it's strange indeed.
You needn't hardcode ad_server. You can still rely on dns discovery.
I assume you use sites in AD. So you can "pin" sssd to your local/nearest site
with option ad_site.
More details in man sssd-ad -> ad_site