On Thu, 2022-08-25 at 19:41 +0100, Sam Morris via FreeIPA-users wrote:
Interesting. After installing sssd on a fresh system there isn't
an
/etc/sssd/sssd.conf file. I guess ipa-client-install ultimately needs
to
make sure it's not enabling services that are already enabled via
socket
activation. Then again I don't know if having duplicates of these
responders is actaully causing a problem or whether it just results
in a
bit of wasted memory and extra log messages.
I think it actually breaks sssd and prevents it or the responders from
working properly. If I'm bored, I'll have to try it out again.
>
No problem. Ubuntu's login script is really idiotic and caused no end
of
pain for me & my users. But it seems no one is reading the bug
reports...
It worked for me. This is awesome. Thanks again.
I took it to the next step and applied an ID View for an AD user to
change the user's UID and GID. The user could no longer login and that
group enumeration problem popped up again: sssd_idm.domain.com.log was
spitting out groups and group members like it was before the change to
/etc/bash.bashrc. I couldn't even look up the user anymore. I had to
stop sssd, delete everything in /var/lib/sss/db/, unapply the ID View
on the host and start sssd to get logins and user lookups working
again. :/
You'll also want to tell sssd to not include group members when
group
info is looking up--that tweak also makes a huge difference the 1st
time
a user logs in. You want:
ignore_group_members = true
subdomain_inherit = ignore_group_members
I did that on the masters. I believe it's helping, but the test Ubuntu
22 client is still slower than a CentOS 7 server I converted from NIS
auth to a freeipa client.
BTW, I have 26 masters spread out all over the planet. I'm using ad
sites and ipa locations to make sure clients aren't reaching out to
sites that are far away. I don't know for sure if this setup is causing
any issues, though so far it seems to be OK.
--
Ranbir