On Tue, Jan 23, 2018 at 7:55 PM, Jakub Hrozek <jhrozek@redhat.com> wrote:

On Tue, Jan 23, 2018 at 12:44:03PM -0500, email--- via FreeIPA-users wrote:
> Hey All,
> Having some major issues with sudo and it appears the root cause is the time it takes sssd to resolve root as a local user when domain-resolution-order is enabled in ipa4.5, I do not have filter_users or filter_groups defined, so the default root user should be used (https://jhrozek.fedorapeople.org/sssd/1.15.2/man/sssd.conf.5.html) Manually adding this value has no effect.
>
> Versions:
> IPA 4.5
> SSSD 1.15.2
> Centos 7.4
>
> Currently it takes `time id root` about 8-16 seconds to finish depending on caches and firewalls.
> I have (2) forest trusts, a total of 7 domains + ipa itself, 3 of them listed in domain-resolution-order

I'm pretty sure I hit this and I thought Fabiano wrote a patch, but I
can't find neither the ticket nor the fix.

Fabiano, do you remember?

Here's the ticket: https://pagure.io/SSSD/sssd/issue/3460

By the way, I'm not subscribed to the freeipa-users ML. So, most likely, this message will be moderated (and in case it happens, please, forward the bug to the reporter).

Best Regards,

Fabiano Fidêncio