thanks for your answer.
Sumit Bose <sbose(a)redhat.com> wrote:
Michael Ströder wrote:
> I'm currently trouble-shooting performance issues on CentOS 6.10 running
> sssd 1.13.3 using sssd-ad as backend.
> Enumeration is already disabled.
> Also these options were set (DNS names obfuscated):
> ad_enabled_domains = ad1.example.com
> ad_server = dc1.ad1.example.com
> ad_enable_dns_sites = false
> Looking sssd still asks various naming contexts of the *many* other
> trusted domains.
> Any clue how to effectively disable all "foreign" lookups?
ad_enabled_domains will ignore requests looking up users and groups from
domains not listed but I guess if a user from domain ad1.example.com
a member of a group from ad2.example.com
this group will still be looked
Fortunately every group needed should be in forest ad1.example.com
Setting 'subdomain_provider = none' should disable all kind
I couldn't find this in the man pages.
Where is this parameter documented?
Is it already available in package sssd-1.13.3-60.el6.x86_64 on
Is it a global or a domain-specific parameter?
We tried that (both global and domain), but no change.
Still all domains are tried which are found beneath
DC=DomainDnsZones,DC=ad1,DC=example,DC=com. My impression is also that
this is done recursively leading to sssd contacting 70+ domains...
But depending on the other stetting you might e.g. have to
set ldap_idmap_default_domain_sid to tell SSSD about the domain SID of
the local domain to make automatic id-mapping work.
No ID-mapping needed in this case. The MS AD entries contains uidNumber
and gidNumber attributes.