[Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

Gould, Joshua Joshua.Gould at osumc.edu
Fri Mar 20 13:41:08 UTC 2015 

Updated:
  libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1
  libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1
  libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
  libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
  libsss_nss_idmap-python.x86_64 0:1.12.2-58.el7_1.6.1
  python-sssdconfig.noarch 0:1.12.2-58.el7_1.6.1
  sssd.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-ad.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-client.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-common.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-common-pac.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-ipa.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-krb5.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-krb5-common.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-ldap.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-proxy.x86_64 0:1.12.2-58.el7_1.6.1
  sssd-tools.x86_64 0:1.12.2-58.el7_1.6.1


It¹s dramatically faster. Thank you!

Mar 20 09:38:46 mid-ipa-vp01 sshd[3081]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.234.49.39  user=gould
Mar 20 09:38:46 mid-ipa-vp01 sshd[3081]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.234.49.39 user=gould
Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: Accepted password for gould from
10.134.249.39 port 60170 ssh2
Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: pam_unix(sshd:session): session
opened for user gould by (uid=0)



On 3/20/15, 4:18 AM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:

>On Thu, Mar 19, 2015 at 05:29:39PM -0400, Gould, Joshua wrote:
>> Thank you!
>
>You're welcome, please try these builds:
>https://urldefense.proofpoint.com/v2/url?u=https-3A__jhrozek.fedorapeople.
>org_sssd-2Dtest-2Dbuilds_sssd-2D7.1-2Dgr-2Drequest_&d=AwIBAg&c=k9MF1d71ITt
>kuJx-PdWme51dKbmfPEvxwt8SFEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwo
>jC24&m=Q_JEJ-95yaJpaXtkuLwVxfpPN9Dm_PXXZhd4bG1d0ZY&s=6dKxT6QZrN5FoquwdwM62
>Y4GJFQ6QqWn6Y6aGj4CXIc&e=
>
>But please note that when POSIX attributes are requested, the lookups
>will /always/ be slower. With ID mapping, we can do just a single
>base-scoped lookup to retrieve the multi-valued tokenGroups attribute
>and map the SIDs to IDs. With POSIX attributes, we must simply go to the
>server for each group and look up the GID..

More information about the Freeipa-users mailing list