Sumit,
thanks for your answer.
Sumit Bose <sbose(a)redhat.com> wrote:
Michael Ströder wrote:
> I'm currently trouble-shooting performance issues on CentOS 6.10 running
> sssd 1.13.3 using sssd-ad as backend.
>
> Enumeration is already disabled.
>
> Also these options were set (DNS names obfuscated):
> ad_enabled_domains =
ad1.example.com
> ad_server =
dc1.ad1.example.com,
dc2.ad1.example.com
> ad_enable_dns_sites = false
>
> Looking sssd still asks various naming contexts of the *many* other
> trusted domains.
>
> Any clue how to effectively disable all "foreign" lookups?
ad_enabled_domains will ignore requests looking up users and groups from
domains not listed but I guess if a user from domain
ad1.example.com is
a member of a group from
ad2.example.com this group will still be looked
up.
Fortunately every group needed should be in forest
ad1.example.com.
Setting 'subdomain_provider = none' should disable all kind
of domain
discovery.
I couldn't find this in the man pages.
Where is this parameter documented?
Is it already available in package sssd-1.13.3-60.el6.x86_64 on
RHEL/CentOS 6.10?
Is it a global or a domain-specific parameter?
We tried that (both global and domain), but no change.
Still all domains are tried which are found beneath
DC=DomainDnsZones,DC=ad1,DC=example,DC=com. My impression is also that
this is done recursively leading to sssd contacting 70+ domains...
But depending on the other stetting you might e.g. have to
set ldap_idmap_default_domain_sid to tell SSSD about the domain SID of
the local domain to make automatic id-mapping work.
No ID-mapping needed in this case. The MS AD entries contains uidNumber
and gidNumber attributes.
Ciao, Michael.