On Fri, Feb 03, 2017 at 09:54:01AM -0500, Chris Dagdigian wrote: > > I've got a case where "id <user>@AD-DOMAIN" hangs forever after partially > resolving and I think it may because they are in way too many AD groups?
I don't think id should hang totally (at the very least, there is a NSS timeout that should eventually kick in). > > The 'id' command resolve the user but hangs before completing. There is a > large amount of group data returned from the AD forest for this user and the > 'id' command seems to pause/hang right at the 3024th character returned. > > Looking for pointers / tips. I'm thinking the AD user is in way too many > groups but I don't know if this is a real limit or what the limit may be. > Any other reason why an 'id' command may start to work but hang before > completion for an AD-defined user? I would tail the sssd logs on the client and server to see if the command really hangs or 'just' processes some super-large group. Also, see: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project