slow login with users from trusted domains via sssd due to usage of non-optimal AD servers
This document (000020828) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Enterprise Linux 12 SP5
SUSE Enterprise Linux 15SP2
SUSE Enterprise Linux 15SP3
SUSE Enterprise Linux 15SP4
SUSE Enterprise Linux 15SP2
SUSE Enterprise Linux 15SP3
SUSE Enterprise Linux 15SP4
Situation
You have configured sssd against your active directory domain, and want to use trusted domain users.
Login for these is however very slow.
Login for these is however very slow.
Resolution
Cause
Reason could be that sssd by default uses first AD server that it resolves from the trusted domain.
This AD server could however be on the other side of the globe and connection to it could be spotty/slow.
There are however nearby reachable servers that are reacting much faster.
Also on older versions of sssd it was ignoring the ad_server and ad_site settings for the trusted domain and instead using its internal resolution. See resolution section for fixed versions.
This AD server could however be on the other side of the globe and connection to it could be spotty/slow.
There are however nearby reachable servers that are reacting much faster.
Also on older versions of sssd it was ignoring the ad_server and ad_site settings for the trusted domain and instead using its internal resolution. See resolution section for fixed versions.
Additional Information
The documentation of sssd can be found here:
https://sssd.io/docs/ad/ad-provider.html
Man page
https://sssd.io/docs/ad/ad-provider.html
Man page
#man sssd #man sssd-ad
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020828
- Creation Date: 26-Oct-2022
- Modified Date:03-Nov-2022
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
#Main domain section(for example purpose):
[domain/corp.example.com]
...
ad_server = server1.corp.example.com server2.corp.example.com
...
#Trusted domain section(for example purpose):
[domain/corp.example.com/trusted.example.com]
ad_server = server1.trusted.example.com server2.trusted.example.com
If your windows administrators have configured AD sites you could for example use this instead:
#Trusted domain section(for example purpose):
[domain/corp.example.com/trusted.example.com]
ad_site = northpole
Unless you are on SLES 15 SP4 already, please make sure that you are on the newest versions of sssd that contain necessary fixes.
The backporting of the fix was done in these versions:
SUSE Linux Enterprise Server 12-SP5: sssd-1.16.1-7.39.4
SUSE Linux Enterprise Server 15-SP2-LTSS: sssd-1.16.1-150200.17.23.1
SUSE Linux Enterprise Module for Basesystem 15-SP3: sssd-1.16.1-150300.23.34.1