On Thu, May 22, 2014 at 01:22:28PM -0400, Bret Wortman wrote:
> Yep, that initgroups change had the same effect as shutting down
> sssd, but without inconveniencing all the IPA-only users.
> The problem in this particular case was made worse by a lot of
> network latency, but even on network segments local to the ipa
> masters, it's taking seconds to authenticate. This will help out the
> local accounts, at least. Now to keep working on those that aren't
> Thanks for that tip, Simo!
Just as an additional tip for anyone else following this thread -- if
you want to ignore certain local users from being queried in the SSSD
backends, you can use the filter_users/filter_groups options. Their
value defaults to 'root' so that we never fetch the root account from
LDAP, but for example on my system I also include the 'pulse-rt' user..
Freeipa-users mailing list