Details
-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
rhel-8.9.0, rhel-9.3.0
-
sst_idm_sssd
-
ssg_idm
-
False
-
-
Red Hat Enterprise Linux
Description
What were you trying to do that didn't work?
Logging in via ssh to RHEL8/9 Linux machine takes minutes whereas logging as the same user while joined to the same AD server via an older version (sssd 1.15.6) is nearly instantaneous.
Please provide the package NVR for which bug is seen:
RHEL7.4~: sssd-1.15.6 (desired behaviour)
RHEL9.3/8.9: sssd-2.9.1
Steps to Reproduce:
1. Integrate the machine to an AD domain using sssd
2. Perform authentication (e.g., ssh)
Customer words:
Using sssd 1.15.6, a user logging in triggers no calls to get/set secondary group membership. On this system, everything still works but is lazily evaluated. After logging in, the first time the user runs the "id -Gn", there is a delay before the secondary group information is retrieved. I think this is the proper behavior and I would like our RHEL9 systems to behave similarly. But I see no options in the sssd documentation to have sssd lazily evaluate calls to resolve name information.
On login, the user just wants access to the system. sssd needs to authenticate their password, read their uid and primary group gid and name from the identity server and that's it. I don't think it's necessary to apriori read all the user's secondary group information at all. sssd should wait until the user makes a system call asking for that information.