On Fri, Feb 03, 2017 at 09:54:01AM -0500, Chris Dagdigian wrote:
>
> I've got a case where "id <user>@AD-DOMAIN" hangs forever after partially
> resolving and I think it may because they are in way too many AD groups?
I don't think id should hang totally (at the very least, there is a NSS
timeout that should eventually kick in).
>
> The 'id' command resolve the user but hangs before completing. There is a
> large amount of group data returned from the AD forest for this user and the
> 'id' command seems to pause/hang right at the 3024th character returned.
>
> Looking for pointers / tips. I'm thinking the AD user is in way too many
> groups but I don't know if this is a real limit or what the limit may be.
> Any other reason why an 'id' command may start to work but hang before
> completion for an AD-defined user?
I would tail the sssd logs on the client and server to see if the
command really hangs or 'just' processes some super-large group.
Also, see:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
