This sounds very familiar to something we recently encountered. Are you having login/sudo times on the order of 3-5 mins? did this start around the July time frame? Do you have additional untrusted lab AD domains used for testing? Are those lab domains possibly inaccessible to particular servers? Does sssctl domain-list show additional domains more than the expected trusted domains?
Spike On Fri, Oct 8, 2021 at 2:42 AM Robert Wagensveld <robertwagensv...@live.nl> wrote: > Hi all, I was hoping you could help me with this, as I am essentially > clueless by this point.Even setting debug logging to 8 does not give much > information as to what the problem might be. > I have chosen to set the enum_cache_timeout to a high value, e.g. 26000 > seconds. This because we have a very large environment in terms of AD > groups (we use Kerberos over LDAP) and this takes a long time to retrieve > all groups. Weird part is, although this helped on some clients, it does > not actually reduce login/sudo times on others. I have set the following > values in sssd.conf: > entry_cache_nowait_percentage = 50 > entry_cache_timeout = 60 > > My reason for this is that defining a value for the nowait percentage > automatically update entries in the background. Not sure if I set the > percentage rights though. https://linux.die.net/man/5/sssd.conf > What is wise to do in this regard? My desired behavior would be that it > returns entries from cache even while offline as often as possible, and > updates the cache in the background. I don't want users to have to wait for > SSSD to iterate through all our insane amounts of groups in the foreground. > > Thanks in advance! > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
