Hey All, Having some major issues with sudo and it appears the root cause is the time it takes sssd to resolve root as a local user when domain-resolution-order is enabled in ipa4.5, I do not have filter_users or filter_groups defined, so the default root user should be used (https://jhrozek.fedorapeople.org/sssd/1.15.2/man/sssd.conf.5.html) Manually adding this value has no effect.
Versions: IPA 4.5 SSSD 1.15.2 Centos 7.4
Currently it takes `time id root` about 8-16 seconds to finish depending on caches and firewalls. I have (2) forest trusts, a total of 7 domains + ipa itself, 3 of them listed in domain-resolution-order
Thank You, -Jake
On Tue, Jan 23, 2018 at 12:44:03PM -0500, email--- via FreeIPA-users wrote:
Hey All, Having some major issues with sudo and it appears the root cause is the time it takes sssd to resolve root as a local user when domain-resolution-order is enabled in ipa4.5, I do not have filter_users or filter_groups defined, so the default root user should be used (https://jhrozek.fedorapeople.org/sssd/1.15.2/man/sssd.conf.5.html) Manually adding this value has no effect.
Versions: IPA 4.5 SSSD 1.15.2 Centos 7.4
Currently it takes `time id root` about 8-16 seconds to finish depending on caches and firewalls. I have (2) forest trusts, a total of 7 domains + ipa itself, 3 of them listed in domain-resolution-order
I'm pretty sure I hit this and I thought Fabiano wrote a patch, but I can't find neither the ticket nor the fix.
Fabiano, do you remember?
On Tue, Jan 23, 2018 at 7:55 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Jan 23, 2018 at 12:44:03PM -0500, email--- via FreeIPA-users wrote:
Hey All, Having some major issues with sudo and it appears the root cause is the
time it takes sssd to resolve root as a local user when domain-resolution-order is enabled in ipa4.5, I do not have filter_users or filter_groups defined, so the default root user should be used ( https://jhrozek.fedorapeople.org/sssd/1.15.2/man/sssd.conf.5.html) Manually adding this value has no effect.
Versions: IPA 4.5 SSSD 1.15.2 Centos 7.4
Currently it takes `time id root` about 8-16 seconds to finish depending
on caches and firewalls.
I have (2) forest trusts, a total of 7 domains + ipa itself, 3 of them
listed in domain-resolution-order
I'm pretty sure I hit this and I thought Fabiano wrote a patch, but I can't find neither the ticket nor the fix.
Fabiano, do you remember?
Here's the ticket: https://pagure.io/SSSD/sssd/issue/3460
By the way, I'm not subscribed to the freeipa-users ML. So, most likely, this message will be moderated (and in case it happens, please, forward the bug to the reporter).
Best Regards,
freeipa-users@lists.fedorahosted.org