[Freeipa-users] Can too many group memberships for an AD user cause SSSD or IPA problems?
Jakub Hrozek
jhrozek at redhat.com
Sat Feb 4 11:48:29 UTC 2017
On Fri, Feb 03, 2017 at 09:54:01AM -0500, Chris Dagdigian wrote:
>
> I've got a case where "id <user>@AD-DOMAIN" hangs forever after partially
> resolving and I think it may because they are in way too many AD groups?
I don't think id should hang totally (at the very least, there is a NSS
timeout that should eventually kick in).
>
> The 'id' command resolve the user but hangs before completing. There is a
> large amount of group data returned from the AD forest for this user and the
> 'id' command seems to pause/hang right at the 3024th character returned.
>
> Looking for pointers / tips. I'm thinking the AD user is in way too many
> groups but I don't know if this is a real limit or what the limit may be.
> Any other reason why an 'id' command may start to work but hang before
> completion for an AD-defined user?
I would tail the sssd logs on the client and server to see if the
command really hangs or 'just' processes some super-large group.
Also, see:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
More information about the Freeipa-users
mailing list