Sumit, thanks for your answer.
Sumit Bose <sb...@redhat.com> wrote: > Michael Ströder wrote: >> I'm currently trouble-shooting performance issues on CentOS 6.10 running >> sssd 1.13.3 using sssd-ad as backend. >> >> Enumeration is already disabled. >> >> Also these options were set (DNS names obfuscated): >> ad_enabled_domains = ad1.example.com >> ad_server = dc1.ad1.example.com, dc2.ad1.example.com >> ad_enable_dns_sites = false >> >> Looking sssd still asks various naming contexts of the *many* other >> trusted domains. >> >> Any clue how to effectively disable all "foreign" lookups? > > ad_enabled_domains will ignore requests looking up users and groups from > domains not listed but I guess if a user from domain ad1.example.com is > a member of a group from ad2.example.com this group will still be looked > up. Fortunately every group needed should be in forest ad1.example.com. > Setting 'subdomain_provider = none' should disable all kind of domain > discovery. I couldn't find this in the man pages. Where is this parameter documented? Is it already available in package sssd-1.13.3-60.el6.x86_64 on RHEL/CentOS 6.10? Is it a global or a domain-specific parameter? We tried that (both global and domain), but no change. Still all domains are tried which are found beneath DC=DomainDnsZones,DC=ad1,DC=example,DC=com. My impression is also that this is done recursively leading to sssd contacting 70+ domains... > But depending on the other stetting you might e.g. have to > set ldap_idmap_default_domain_sid to tell SSSD about the domain SID of > the local domain to make automatic id-mapping work. No ID-mapping needed in this case. The MS AD entries contains uidNumber and gidNumber attributes. Ciao, Michael. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org