On Fri, Nov 16, 2018 at 11:55:28AM +0100, Michael Ströder wrote: > Sumit, > > thanks for your answer. > > Sumit Bose <sb...@redhat.com> wrote: > > Michael Ströder wrote: > >> I'm currently trouble-shooting performance issues on CentOS 6.10 running > >> sssd 1.13.3 using sssd-ad as backend. > >> > >> Enumeration is already disabled. > >> > >> Also these options were set (DNS names obfuscated): > >> ad_enabled_domains = ad1.example.com > >> ad_server = dc1.ad1.example.com, dc2.ad1.example.com > >> ad_enable_dns_sites = false > >> > >> Looking sssd still asks various naming contexts of the *many* other > >> trusted domains. > >> > >> Any clue how to effectively disable all "foreign" lookups? > > > > ad_enabled_domains will ignore requests looking up users and groups from > > domains not listed but I guess if a user from domain ad1.example.com is > > a member of a group from ad2.example.com this group will still be looked > > up. > > Fortunately every group needed should be in forest ad1.example.com. > > > Setting 'subdomain_provider = none' should disable all kind of domain > > discovery. > > I couldn't find this in the man pages. > > Where is this parameter documented?
Ah, sorry, typo it is 'subdomains_provider' ('s' was missing) which is a domain specific option like the other *_provider options and is described in the sssd.conf man page. HTH bye, Sumit > > Is it already available in package sssd-1.13.3-60.el6.x86_64 on > RHEL/CentOS 6.10? > > Is it a global or a domain-specific parameter? > > We tried that (both global and domain), but no change. > > Still all domains are tried which are found beneath > DC=DomainDnsZones,DC=ad1,DC=example,DC=com. My impression is also that > this is done recursively leading to sssd contacting 70+ domains... > > > But depending on the other stetting you might e.g. have to > > set ldap_idmap_default_domain_sid to tell SSSD about the domain SID of > > the local domain to make automatic id-mapping work. > > No ID-mapping needed in this case. The MS AD entries contains uidNumber > and gidNumber attributes. > > Ciao, Michael. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org