On Wed, Jun 05, 2019 at 10:14:46AM +0200, Jakub Hrozek wrote:

Date: Wed, 5 Jun 2019 10:04:56 +0200 From: Alexander Fieroch alexander.fieroch@mpi-dortmund.mpg.de To: sssd-users-owner@lists.fedorahosted.org Subject: enumerate in sssd.conf User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0

Hi,

Hi,

please note that the correct list for user facing questions is sssd-users@lists.fedorahosted.org

I've set "enumerate = true" in sssd.conf which is working good for me and our AD clients. Now I recognized that RedHat does not recommend "enumerate = true" in sssd.conf:

https://access.redhat.com/solutions/500433

When I disable enumarate in sssd, "getent passwd" does not list AD users anymore. Is this normal behavior?

Yes, enumerate=true does two things: - in sssd_be, starts a periodical task that downloads all entries currently served by SSSD (users, groups, netgroups, services, ..) - on the sssd_nss side, replies to getent passwd/getent group, or, on that level getpwent/getgrent/... with the contents of the cache.

I use "getent passwd" for a quick test if sssd is working and finding AD users...

Yes, it's convenient, but fetching and saving all entries is also very performance intensive, even with some optimizations like fetching only delta since the previous lastUSN change. That's why it is not recommended to use enumeration.