OT: How comes sudo even works with the AD provider?? You need to extend AD schema right? Thanks,
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21 July 2015 10:08 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd+ad-provider + sudo slow
On Tue, Jul 21, 2015 at 10:59:25AM +0300, Евгений wrote:
Hi All!
Work very well with sssd+ad provider, but sudo su - very slow working when running first time(running again <1sec), user1@host$ sudo su - ( slow ~ 8-15 sec).
user1 domain user - member of many groups (+300) in Active Directory.
/etc/sssd/sssd.conf:
[domain/default] cache_credentials = true ignore_group_members = true
[domain/domain.local] debug_level = 6 id_provider = ad ad_server = msa-dc13. domain.local, msk-dc11. domain.local ad_domain = domain.local ad_hostname = msa-mailsys1.domain.local override_homedir = /home/%u override_shell = /bin/bash ignore_group_members = true
# FILTER access_provider = simple simple_allow_groups = ROL-Linux-Admin
[sssd] services = nss, pam, sudo cache_credentials = true config_file_version = 2 domains = domain.local [nss] debug_level= 6 [pam]
[sudo] #debug_level = 9
In /var/log/sssd/sssd_nss.log more requesting to domain,when run sudo first time.
Yeah, I guess the groups are not cached the first time around.
What SSSD versions are you running?
Can you attach the nss and domain log so we can see what exactly is being requested? You're already using ignore_group_members which would be my guess..
If you're running a recent enough version, maybe the background refresh would be useful..
btw feel free to drop the [domain/default] section, it's not used anywhere..
Whether it is possible to cache operations with sudo or or some other way to get around there is the problem?
-- Eugene
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.