On Thu, 2022-08-25 at 19:41 +0100, Sam Morris via FreeIPA-users wrote: > Interesting. After installing sssd on a fresh system there isn't an > /etc/sssd/sssd.conf file. I guess ipa-client-install ultimately needs > to > make sure it's not enabling services that are already enabled via > socket > activation. Then again I don't know if having duplicates of these > responders is actaully causing a problem or whether it just results > in a > bit of wasted memory and extra log messages. >
I think it actually breaks sssd and prevents it or the responders from working properly. If I'm bored, I'll have to try it out again. > > > No problem. Ubuntu's login script is really idiotic and caused no end > of > pain for me & my users. But it seems no one is reading the bug > reports... > It worked for me. This is awesome. Thanks again. I took it to the next step and applied an ID View for an AD user to change the user's UID and GID. The user could no longer login and that group enumeration problem popped up again: sssd_idm.domain.com.log was spitting out groups and group members like it was before the change to /etc/bash.bashrc. I couldn't even look up the user anymore. I had to stop sssd, delete everything in /var/lib/sss/db/, unapply the ID View on the host and start sssd to get logins and user lookups working again. :/ > You'll also want to tell sssd to not include group members when group > info is looking up--that tweak also makes a huge difference the 1st > time > a user logs in. You want: > > ignore_group_members = true > subdomain_inherit = ignore_group_members I did that on the masters. I believe it's helping, but the test Ubuntu 22 client is still slower than a CentOS 7 server I converted from NIS auth to a freeipa client. BTW, I have 26 masters spread out all over the planet. I'm using ad sites and ipa locations to make sure clients aren't reaching out to sites that are far away. I don't know for sure if this setup is causing any issues, though so far it seems to be OK. -- Ranbir _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
