Hi,
we are running sssd-ad 1.15.0-3 (Debian Stretch) in a global AD
infrastructure consisting of a single forest with four (sub-)domains in
two-way trust. No FreeIPA, just Windows 2012 AD servers.
Users are typically members of up to 250 groups distributed across
multiple domains. Each domain has a local Domain-Controller on each site
to improve lookup times.
Time required for running sudo directly after login with a Kerberos
ticket is pretty long, usually around 20 seconds but it can also be up
to 40 seconds. Consecutive sudo commands will be fast.
$ date ; ssh server "sudo date"
Wed May 9 10:16:38 CEST 2018
Wed May 9 10:16:56 CEST 2018
We assume most of the time is spent in looking up all the group
memberships, which we can easily see as in the debug log. Is there a
configuration option or some other way to reduce the required lookups
and to improve the time it takes for login + sudo?
Thanks and kind regards,
Bastian
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
