Did you check how long a single group typically takes? Since you're
already using ignore_group_members, it should be pretty swift.
Ok, check it out.
Вторник, 21 июля 2015, 11:37 +02:00 от Jakub Hrozek
<jhrozek(a)redhat.com>:
On Tue, Jul 21, 2015 at 12:29:39PM +0300, Евгений wrote:
> Hi :)
>
> 1) sssd in this thread is - sssd-1.11.6-30.el6_6.4.x86_64
> 2) sssd_nss.log:
>
> many,many requests...
> (sample)
>
> (Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting
info for [_hd_notice(a)domain.local]
> (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x418850:1:_hd_notice@domain.local]
> (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating
request for [domain.local][4097][1][name=_hd_notice]
> (Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x418850:1:_hd_notice@domain.local]
> Cant load all logs:)
Did you check how long a single group typically takes? Since you're
already using ignore_group_members, it should be pretty swift.
>
> So,problem is a user who has a lot of nested groups in AD.
> 2)
> If you're running a recent enough version, maybe the background refresh
> would be useful..
>
> refresh_expired_interval?
Yes, but you're running RHEL/CentOS 6.6, that's not recent enough,
sorry. The background refresh will be released in 6.7 (which is supposed
to be out Any Day Now)
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users