On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote:
> Ahhhh. Then it's probably not the source of my performance problem. I 
> know when I shut down SSSD, that user's ssh times speed up incredibly.

This makes me think it *is* initgroups, as it normally will hit sssd
even for non-sssd owned users.

But the issue here clearly is that sssd is slow for you, bad network ?

Simo.

> Bret
> 
> On 05/22/2014 01:06 PM, Simo Sorce wrote:
> > On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:
> >> If this line is in /etc/nsswitch.conf:
> >>
> >> passwd: files sss
> >>
> >> Why would the user account from IPA get used when an identical one
> >> exists in /etc/passwd? We can tell because of some additional groups
> >> granted when authentication comes from IPA.
> >>
> >> If I shut down sssd, then login proceeds through /etc/passwd as
> >> expected, but as soon as I restart sssd, this behavior starts again.
> >> It's almost as if nsswitch.conf is being ignored or read
> >> right-to-left.
> >>
> >> Just another oddity I uncovered on one system as I was troubleshooting
> >> a
> >> particularly long "ssh localhost" and trying to rule things out.
> >>
> > The initgroups call (done at authentication to find what groups a user
> > is member of) by default traverses all databases, so if the same
> > username is found in multiple databases the groups are added as well.
> >
> > There is actually a way to change this behavior, although it usually
> > causes more issue than it resolves.
> >
> > You could try with: initgroups: files sss
> >
> > Simo.
> >
> 
> 


-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to