Ahhhh. Then it's probably not the source of my performance problem. I know when I shut down SSSD, that user's ssh times speed up incredibly.


Bret

On 05/22/2014 01:06 PM, Simo Sorce wrote:
On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:
If this line is in /etc/nsswitch.conf:

passwd: files sss

Why would the user account from IPA get used when an identical one
exists in /etc/passwd? We can tell because of some additional groups
granted when authentication comes from IPA.

If I shut down sssd, then login proceeds through /etc/passwd as
expected, but as soon as I restart sssd, this behavior starts again.
It's almost as if nsswitch.conf is being ignored or read
right-to-left.

Just another oddity I uncovered on one system as I was troubleshooting
a
particularly long "ssh localhost" and trying to rule things out.

The initgroups call (done at authentication to find what groups a user
is member of) by default traverses all databases, so if the same
username is found in multiple databases the groups are added as well.

There is actually a way to change this behavior, although it usually
causes more issue than it resolves.

You could try with: initgroups: files sss

Simo.



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to