linux-announce AT lists.psi.ch
Subject: Linux Mailing List
List archive
- From: "Konrad Bucheli (PSI)" <konrad.bucheli AT psi.ch>
- To: linux-announce AT lists.psi.ch
- Subject: [[Linux-announce] ] improved account/group information caching with sssd
- Date: Wed, 9 Jul 2025 11:17:40 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=psi.ch; dmarc=pass action=none header.from=psi.ch; dkim=pass header.d=psi.ch; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9qjWFl47FWusBwB0UK8IINFk1ShJ5iGUP5FNd7Zt2sE=; b=dHHCKRHFJ9aS2XQYxduCWcXX/6DpVUMEJfDoxtY2L6N6KxGV1DSYDF1IX8agCfiDhkOV6mYOIGxjvGpsvdqbMdPGQl6+RhqHryH/YMt2hsGXxIzo1lu6S6v2qOuz05/joj7n6Db8DTWY0NFk6vMTg5ckre9YHrJTk/VNeNTmyXpxIN7wH0Q5J35odbJ/sGBRk5gBGCEum51difiIGv8091w9hDDIur5D9cD6nDuOrdt96q3R5sV3QzQEwG4DrAVgZI9gaCYmdfCVOGPwPu1iiiobWR3VvRDl2RdxiLRDrtBGZNShvFDzdHbh2u5hnlTMMV8du1IJvrGZ9xMaAZyzdg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HiVq2FSYsbxFek9eGpJZZKmtQD/Rg2MBCFDbSubimL3E/h38kggqNuN+v7BxuzCPA3BvVBo1yNCrRLgu3pnG+oaUhuxD/Wfh1XPatTj29hm4AhgV0mlDcqSNmQKgiElhDdcFjWVowuVD2osGlo0Vuc6vByYcUqmPMLKYIndCSOphLnBxXv4c9iV8tdDM2gx3tpqjOFUOO0WaISq4GhcuTfndHtiDukiE2ME2Annd0v4vi9p5Ax4EtZgWvp1fM5twbSNR8+XXFlkm/EbVBh58f//Jg6IyXebdSB6sVb3ynyWERpAO4Kq1TfCy2zrmslKMSmOILib/4DQ3dC+I53tjFg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=psi.ch;
Dear Linux Admins
On our RHEL installations the sssd service is responsible for authentication and AD integration. Unfortunately sssd turned out to be rather inefficient when dealing with big AD setups. So just looking up the account information of a user with many groups can lead to > 40MB network traffic and may need more than one minute. This already led to problems on some systems. Currently that information is only cached for 5 minutes, so most of the time a lookup will be slow.
To improve the situation we plan to change the default configuration. The idea is to keep the information in the cache longer (> 12 hours) and refresh them automatically every 12 hours. So the user information lookup may be slow only on the very first time and after sssd can always provide user information from cache.
The downside is that changes in group membership in the AD will only be visible on your Linux machine the next day.
We have already implemented this behavior in the "preprod" Puppet environment. Without strong objections that change will reach production and thus all nodes next Tuesday 16 July.
If you need different behavior please check out our documentation where the possible configuration options are listed:
https://linux.psi.ch/admin-guide/configuration/basic/ad_integration.html#caching-ad-information
Beside we are also in contact with RedHat and hope to be able to convince them to improve sssd in this regard.
Feel free to contact linux-eng AT psi.ch if you have questions or remarks.
Kind regards
Konrad
--
Paul Scherrer Institut
Konrad Bucheli
Linux Systems Engineer
Core Linux Research Services
Science IT Infrastructure and Services department (AWI)
OBBA/230
Forschungstrasse 111
5232 Villigen PSI
Switzerland
Phone: +41 56 310 27 24
konrad.bucheli AT psi.ch
www.psi.ch
-
[[Linux-announce] ] improved account/group information caching with sssd,
Konrad Bucheli (PSI), 07/09/2025
- AW: [[Linux-announce] ] improved account/group information caching with sssd, Bucheli Konrad, 07/16/2025
Archive powered by MHonArc 2.6.24.