I'm wondering if there are any plans to improve sssd performance on large active
directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of
that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can
take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes
after logon, which makes it a non-starter. The reason I want to allow group members to be
seen is that I want certain domain groups to be able to perform elevated actions using
polkit. If I ignore group members, polkit reports that the group is empty and so no one
can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they
cannot be bound to the domain and have the normal set of access features users and IT
expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3)
and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable
improvement with respect to performance. Putting the database on /tmp isn't viable as
these are workstations that will reboot semi-frequently, and I don't believe this is
an I/O bound performance issue anyways.
Thanks for your time.