On Fri, Nov 16, 2018 at 11:55:28AM +0100, Michael Ströder wrote:
Sumit,
thanks for your answer.
Sumit Bose sbose@redhat.com wrote:
Michael Ströder wrote:
I'm currently trouble-shooting performance issues on CentOS 6.10 running sssd 1.13.3 using sssd-ad as backend.
Enumeration is already disabled.
Also these options were set (DNS names obfuscated): ad_enabled_domains = ad1.example.com ad_server = dc1.ad1.example.com, dc2.ad1.example.com ad_enable_dns_sites = false
Looking sssd still asks various naming contexts of the *many* other trusted domains.
Any clue how to effectively disable all "foreign" lookups?
ad_enabled_domains will ignore requests looking up users and groups from domains not listed but I guess if a user from domain ad1.example.com is a member of a group from ad2.example.com this group will still be looked up.
Fortunately every group needed should be in forest ad1.example.com.
Setting 'subdomain_provider = none' should disable all kind of domain discovery.
I couldn't find this in the man pages.
Where is this parameter documented?
Ah, sorry, typo it is 'subdomains_provider' ('s' was missing) which is a domain specific option like the other *_provider options and is described in the sssd.conf man page.
HTH
bye, Sumit
Is it already available in package sssd-1.13.3-60.el6.x86_64 on RHEL/CentOS 6.10?
Is it a global or a domain-specific parameter?
We tried that (both global and domain), but no change.
Still all domains are tried which are found beneath DC=DomainDnsZones,DC=ad1,DC=example,DC=com. My impression is also that this is done recursively leading to sssd contacting 70+ domains...
But depending on the other stetting you might e.g. have to set ldap_idmap_default_domain_sid to tell SSSD about the domain SID of the local domain to make automatic id-mapping work.
No ID-mapping needed in this case. The MS AD entries contains uidNumber and gidNumber attributes.
Ciao, Michael.