I¹m seeing ssh logins for AD users take MUCH longer when using SID mapping vs. POSIX attributes. Both myself and our AD admin would prefer to use SID mapping. It appears tied to the group lookup at login. There seem to be many posts about it, but I haven¹t found anything to help much. sssd pegs the CPU for the 15 or so seconds the login takes.
Ex w/ SID mapping AD trust: Mar 19 10:48:25 mid-ipa-vp01 sshd[16198]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.134.49.32 user=gould@test.osuwmc Mar 19 10:48:28 mid-ipa-vp01 sshd[16198]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.134.49.32 user=gould@test.osuwmc Mar 19 10:48:34 mid-ipa-vp01 sshd[16198]: Accepted password for goul09@test.osuwmc from 10.134.49.32 port 56844 ssh2 Mar 19 10:48:38 mid-ipa-vp01 sshd[16198]: pam_unix(sshd:session): session opened for user goul09@test.osuwmc by (uid=0) Ex w/ POSIX AD trust Mar 16 14:27:52 mid-ipa-vp01 sshd[13723]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.134.49.96 user=gould@test.osuwmc Mar 16 14:27:55 mid-ipa-vp01 sshd[13723]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.134.49.96 user=gould@test.osuwmc Mar 16 14:28:01 mid-ipa-vp01 sshd[13723]: Accepted password for gould@test.osuwmc from 10.134.49.96 port 61401 ssh2 Mar 16 14:28:05 mid-ipa-vp01 sshd[13723]: pam_unix(sshd:session): session opened for user goul09@test.osuwmc by (uid=0) Exact same sssd.conf file for both configs. [domain/unix.test.osuwmc] debug_level = 9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = unix.test.osuwmc id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = mid-ipa-vp01.unix.test.osuwmc chpass_provider = ipa ipa_server = mid-ipa-vp01.unix.test.osuwmc ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt ldap_referrals = false #[domain/test.osuwmc] [sssd] services = nss, sudo, pam, ssh, pac config_file_version = 2 domains = unix.test.osuwmc [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project