Hi,
I recently encountered issues where logins on Linux clients using SSSD
and the AD provider, pointed directly to an AD server were randomly
slow. Randomly meaning, some clients experienced no slowness at all,
other clients consistently had slow logins (30+ seconds sometimes), and
yet other clients had random normal/fast logins, and frequent slow logins.
Through troubleshooting, log analysis and experimentation, it appears
the fix for this issue is to turn off the PAC service. Once "pac" was
removed from the "services =" line in sssd.conf, the problem client
boxes were suddenly consistently fast in terms of user logins.
This deployment has the clients talking directly to AD servers it looks
up via the normal AD DNS entries, and uses Unix POSIX attributes in AD
for uidnumber and gidnumber etc (e.g. it's not doing any SID -> unix ID
translations, it's just pulling them directly from LDAP attributes).
I guess my questions are:
1. What does PAC actually do? I've read that it lists a users group as
part of a KRB5 response, but also that it might be involved in
cross-domain trusts.
2. When is PAC needed. Is it only needed for deployments using IPA?
3. Is there any impact in turning off PAC if the architecture doesn't
involve IPA in the mix?
4. Why would PAC slow down such a architecture seemingly randomly?
I've done a bit of searching and have only found sparse information on
sssd_pac, some in Jakob's blog! I'm trying to understand its role.
Thanks,
- Jim