Is there a way to get results in `getent passwd` from a files domain with enumerate=false?
relevant domain snippet: [domain/FNAL.GOV] auth_provider=krb5 id_provider=files enumerate=false
When I change from `enumerate=false` to `enumerate=true` I get everything I'd expect from `getent passwd`.
The load time on my enormous file is painful with enumerate=true.
Pat
On 2/22/23 4:14 PM, Patrick Riehecky wrote:
Is there a way to get results in `getent passwd` from a files domain with enumerate=false?
relevant domain snippet: [domain/FNAL.GOV] auth_provider=krb5 id_provider=files enumerate=false
When I change from `enumerate=false` to `enumerate=true` I get everything I'd expect from `getent passwd`.
The load time on my enormous file is painful with enumerate=true.
Pat
Are you providing a username to getent like this for user foo?
getent passwd foo
That should give you the passwd file entry for user foo when enumerate=false (and even when it's true!)
The load time on my enormous file is painful with enumerate=true.
That is why enumerate=false is the default for sssd enumerating through every possible value puts a huge load on SSSD, so shouldn't be used at sites with a large number of user accounts.
-- Prentice
On Wed, Feb 22, 2023 at 11:31 PM Prentice Bisbal pbisbal@pppl.gov wrote:
On 2/22/23 4:14 PM, Patrick Riehecky wrote:
Is there a way to get results in `getent passwd` from a files domain with enumerate=false?
relevant domain snippet: [domain/FNAL.GOV] auth_provider=krb5 id_provider=files enumerate=false
When I change from `enumerate=false` to `enumerate=true` I get everything I'd expect from `getent passwd`.
The load time on my enormous file is painful with enumerate=true.
Pat
Are you providing a username to getent like this for user foo?
getent passwd foo
That should give you the passwd file entry for user foo when enumerate=false (and even when it's true!)
The load time on my enormous file is painful with enumerate=true.
That is why enumerate=false is the default for sssd enumerating through every possible value puts a huge load on SSSD, so shouldn't be used at sites with a large number of user accounts.
Actually 'files provider' is somewhat special: 1) it always reads the entire /etc/passwd into SSSD cache, so there should be no difference CPU load wise. 2) IIRC, 'files provider' doesn't actually respond to enumeration request because typically there is also 'files' in 'passwd:' database that enumerates and glibc concatenates results
From a practical point of view, for 'auth_provider=krb5' & local users case we now tend to recommend using 'id_provider = proxy' with lib 'files'. 'Files provider' might be deprecated / removed upstream going forward.
On Thu, 2023-02-23 at 11:21 +0100, Alexey Tikhonov wrote:
From a practical point of view, for 'auth_provider=krb5' & local users case we now tend to recommend using 'id_provider = proxy' with lib 'files'. 'Files provider' might be deprecated / removed upstream going forward.
Is there more information on this?
My federation system provides an "passwd format" file that I'm loading via
group_files=/etc/sssd_git/group passwd_files=/etc/sssd_git/passwd pwfield=*
Pat
On Thu, Feb 23, 2023 at 4:15 PM Patrick Riehecky riehecky@fnal.gov wrote:
On Thu, 2023-02-23 at 11:21 +0100, Alexey Tikhonov wrote:
From a practical point of view, for 'auth_provider=krb5' & local users case we now tend to recommend using 'id_provider = proxy' with lib 'files'. 'Files provider' might be deprecated / removed upstream going forward.
Is there more information on this?
https://github.com/SSSD/sssd/pull/6572 Most probably sssd-2.9 upstream release will have a build time ./configure option to enable/disable support of 'files provider'. It's up to the downstream maintainer if they will keep it enabled.
My federation system provides an "passwd format" file that I'm loading via
group_files=/etc/sssd_git/group passwd_files=/etc/sssd_git/passwd pwfield=*
Could you please check if `sssd-proxy` with `nss-altfiles` as a lib works for your case?
sssd-users@lists.fedorahosted.org