I want to get some links to the relevant bugs into this old thread for the benefit of anyone finding this thread in the archives...
>> Currently if I do not set "ignore_group_members = True" in sssd.conf, >> logins can take upwards of 6 minutes and "sssd_be" will max the CPU for >> up to 20 minutes after logon, which makes it a non-starter. The reason >> I want to allow group members to be seen is that I want certain domain >> groups to be able to perform elevated actions using polkit. If I ignore >> group members, polkit reports that the group is empty and so no one can >> elevate in the graphical environment. > I would say here polkit could be improved in addition to sssd. If polkit > is calling getgr* to find if a user is a member of a certain group it's > neither going to be precise nor will that work on large environments. > > Did you ask on a polkit list why it's evaluating membership in a group > with getgr*? I think Polkit does this so that it can provide the authentication agent with a list of users for the user to choose from. There's this on sssd-devel: https://lists.freedesktop.org/archives/polkit-devel/2016-November/000514.html and this in Red Hat's Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1214026 And there's this Polkit issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/24 -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
