On Tue, Jan 26, 2016 at 3:03 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Jan 26, 2016 at 02:19:42PM -0500, James Ralston wrote:
Here's the problem: unless the user/group objects already happen to be in sssd's cache, enumerating the passwd/group entries in this way is very slow: 3-5 entries per second, at best. For a larger AD domain, the program can take 10-15 minutes to perform this iterative enumeration, which is much longer than we'd prefer.
Can anyone think of a way to make this iterative enumeration go faster?
Did you try mounting the cache to tmpfs to get rid of the cache writes?
[...]
That's… a very clever idea.
From testing using tmpfs to back /var/lib/sss/db, the speed of lookups increases by about an order of magnitude: about 44 lookups per second, instead of 4-5 lookups per second. We have around 5,000 AD objects, so the ~100 second wait would be tolerable.
A related question: is there any possibility of adding an option to the ad backend to disable the filtering of distribution groups (group type flag 0x8)?
It's a long story, but what we are trying to do here is to take regular snapshots of our AD users and groups, and sssd's getpwnam()/getgrnam() mapping is the perfect way to do it. I think I understand why distribution groups are filtered by default (they're not security-enabled in AD, and can't be used in Windows ACLs), but in this one particular case, we really do want to be able to enumerate every single group.