On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote:
> Ahhhh. Then it's probably not the source of my performance problem. I
> know when I shut down SSSD, that user's ssh times speed up incredibly.
This makes me think it *is* initgroups, as it normally will hit sssd
even for non-sssd owned users.
But the issue here clearly is that sssd is slow for you, bad network ?
> On 05/22/2014 01:06 PM, Simo Sorce wrote:
> > On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:
> >> If this line is in /etc/nsswitch.conf:
> >> passwd: files sss
> >> Why would the user account from IPA get used when an identical one
> >> exists in /etc/passwd? We can tell because of some additional groups
> >> granted when authentication comes from IPA.
> >> If I shut down sssd, then login proceeds through /etc/passwd as
> >> expected, but as soon as I restart sssd, this behavior starts again.
> >> It's almost as if nsswitch.conf is being ignored or read
> >> right-to-left.
> >> Just another oddity I uncovered on one system as I was troubleshooting
> >> a
> >> particularly long "ssh localhost" and trying to rule things out.
> > The initgroups call (done at authentication to find what groups a user
> > is member of) by default traverses all databases, so if the same
> > username is found in multiple databases the groups are added as well.
> > There is actually a way to change this behavior, although it usually
> > causes more issue than it resolves.
> > You could try with: initgroups: files sss
> > Simo.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list