On Fri, Nov 16, 2018 at 11:55:28AM +0100, Michael Ströder wrote:
> Sumit,
>
> thanks for your answer.
>
> Sumit Bose <sb...@redhat.com> wrote:
> > Michael Ströder wrote:
> >> I'm currently trouble-shooting performance issues on CentOS 6.10 running
> >> sssd 1.13.3 using sssd-ad as backend.
> >>
> >> Enumeration is already disabled.
> >>
> >> Also these options were set (DNS names obfuscated):
> >> ad_enabled_domains = ad1.example.com
> >> ad_server = dc1.ad1.example.com, dc2.ad1.example.com
> >> ad_enable_dns_sites = false
> >>
> >> Looking sssd still asks various naming contexts of the *many* other
> >> trusted domains.
> >>
> >> Any clue how to effectively disable all "foreign" lookups?
> >
> > ad_enabled_domains will ignore requests looking up users and groups from
> > domains not listed but I guess if a user from domain ad1.example.com is
> > a member of a group from ad2.example.com this group will still be looked
> > up.
>
> Fortunately every group needed should be in forest ad1.example.com.
>
> > Setting 'subdomain_provider = none' should disable all kind of domain
> > discovery.
>
> I couldn't find this in the man pages.
>
> Where is this parameter documented?
Ah, sorry, typo it is 'subdomains_provider' ('s' was missing) which is a
domain specific option like the other *_provider options and is
described in the sssd.conf man page.
HTH
bye,
Sumit
>
> Is it already available in package sssd-1.13.3-60.el6.x86_64 on
> RHEL/CentOS 6.10?
>
> Is it a global or a domain-specific parameter?
>
> We tried that (both global and domain), but no change.
>
> Still all domains are tried which are found beneath
> DC=DomainDnsZones,DC=ad1,DC=example,DC=com. My impression is also that
> this is done recursively leading to sssd contacting 70+ domains...
>
> > But depending on the other stetting you might e.g. have to
> > set ldap_idmap_default_domain_sid to tell SSSD about the domain SID of
> > the local domain to make automatic id-mapping work.
>
> No ID-mapping needed in this case. The MS AD entries contains uidNumber
> and gidNumber attributes.
>
> Ciao, Michael.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
