Hi :)

1) sssd in this thread is  - sssd-1.11.6-30.el6_6.4.x86_64
2) sssd_nss.log:

many,many requests...
(sample)

(Mon Jul 20 18:58:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [_hd_notice@domain.local]
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:_hd_notice@domain.local]
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [domain.local][4097][1][name=_hd_notice]
(Mon Jul 20 18:58:02 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:_hd_notice@domain.local]

Cant load all logs:)

So,problem is a user who has a lot of nested groups in AD. 

2) 
If you're running a recent enough version, maybe the background refresh
would be useful..

refresh_expired_interval?





Вторник, 21 июля 2015, 10:08 +02:00 от Jakub Hrozek <jhrozek@redhat.com>:

On Tue, Jul 21, 2015 at 10:59:25AM +0300, Евгений wrote:
> Hi All!
>
> Work very well with sssd+ad provider, but sudo su - very slow working when running first time(running again <1sec),
> user1@host$ sudo su - ( slow ~ 8-15 sec).
>
> user1 domain user - member of many groups (+300) in Active Directory.
>
> /etc/sssd/sssd.conf:
>
> [domain/default]
> cache_credentials = true
> ignore_group_members = true
>
> [domain/domain.local]
> debug_level = 6
> id_provider = ad
> ad_server = msa-dc13. domain.local,  msk-dc11. domain.local
> ad_domain =  domain.local
> ad_hostname = msa-mailsys1.domain.local
> override_homedir = /home/%u
> override_shell = /bin/bash
> ignore_group_members = true
>
> # FILTER
> access_provider = simple
> simple_allow_groups = ROL-Linux-Admin
>
> [sssd] 
> services = nss, pam, sudo
> cache_credentials = true
> config_file_version = 2
> domains =  domain.local
> [nss] 
> debug_level= 6
> [pam] 
>
> [sudo] 
> #debug_level = 9
>
>
> In /var/log/sssd/sssd_nss.log more requesting to domain,when run sudo first time.

Yeah, I guess the groups are not cached the first time around.

What SSSD versions are you running?

Can you attach the nss and domain log so we can see what exactly is being
requested? You're already using ignore_group_members which would be my
guess..

If you're running a recent enough version, maybe the background refresh
would be useful..

btw feel free to drop the [domain/default] section, it's not used
anywhere..


> Whether it is possible to cache operations with sudo or or some other way to get around there is the problem?
>
> -- 
> Eugene

> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users