slow login with users from trusted domains via sssd due to usage of non-optimal AD servers

This document (000020828) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Enterprise Linux 12 SP5
SUSE Enterprise Linux 15SP2
SUSE Enterprise Linux 15SP3
SUSE Enterprise Linux 15SP4

Situation

You have configured sssd against your active directory domain, and want to use trusted domain users. 

Login for these is however very slow.
 

Resolution

Configure the ad_server or ad_site for the trusted domain in /etc/sssd/sssd.conf:

#Main domain section(for example purpose):
[domain/corp.example.com]
  ...
  ad_server = server1.corp.example.com server2.corp.example.com
  ...
#Trusted domain section(for example purpose):
[domain/corp.example.com/trusted.example.com]
  ad_server = server1.trusted.example.com server2.trusted.example.com


If your windows administrators have configured AD sites you could for example use this instead:

#Trusted domain section(for example purpose):
[domain/corp.example.com/trusted.example.com]
   ad_site = northpole


Unless you are on SLES 15 SP4 already, please make sure that you are on the newest versions of sssd that contain necessary fixes.

The backporting of the fix was done in these versions:
SUSE Linux Enterprise Server 12-SP5: sssd-1.16.1-7.39.4
SUSE Linux Enterprise Server 15-SP2-LTSS: sssd-1.16.1-150200.17.23.1
SUSE Linux Enterprise Module for Basesystem 15-SP3: sssd-1.16.1-150300.23.34.1
 

Cause

Reason could be that sssd by default uses first AD server that it resolves from the trusted domain.
This AD server could however be on the other side of the globe and connection to it could be spotty/slow.
There are however nearby reachable servers that are reacting much faster.

Also on older versions of sssd it was ignoring the ad_server and ad_site settings for the trusted domain and instead using its internal resolution. See resolution section for fixed versions.
 

Additional Information

The documentation of sssd can be found here:
https://sssd.io/docs/ad/ad-provider.html

Man page
#man sssd
#man sssd-ad

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020828
  • Creation Date: 26-Oct-2022
  • Modified Date:03-Nov-2022
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center