On Wed, May 09, 2018 at 10:29:51AM +0200, Bastian Rosner wrote: > Hi, > > we are running sssd-ad 1.15.0-3 (Debian Stretch) in a global AD > infrastructure consisting of a single forest with four (sub-)domains in > two-way trust. No FreeIPA, just Windows 2012 AD servers. > Users are typically members of up to 250 groups distributed across multiple > domains. Each domain has a local Domain-Controller on each site to improve > lookup times. > > Time required for running sudo directly after login with a Kerberos ticket > is pretty long, usually around 20 seconds but it can also be up to 40 > seconds. Consecutive sudo commands will be fast. > > $ date ; ssh server "sudo date" > Wed May 9 10:16:38 CEST 2018 > Wed May 9 10:16:56 CEST 2018 > > We assume most of the time is spent in looking up all the group memberships, > which we can easily see as in the debug log. Is there a configuration option > or some other way to reduce the required lookups and to improve the time it > takes for login + sudo?
You might want to try to increase pam_id_timeout as a first step, 30 might be a good start. The second step would be to check the domain log is always suitable/near AD DCs are picked. bye, Sumit > > Thanks and kind regards, > Bastian > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
