SSSD With Large AD and Groups

Latest response

Does anybody have experience with SSSD and a large Active Directory? We have over 150,000 user accounts and 25,000 groups, and a significant number of GPOs as well. I've received reports that RHEL servers that authenticate against our AD can experience login times of up to 10 minutes, which I assume has to do with how it is enumerating groups and group memberships. Other servers seem to not have any problems at all.

I've tried modifying the sssd.conf file to ignore nested groups, but even still users report slow logins. Are there any other ideas on how to improve login times? Maybe it isn't group related at all? Any other known sources of slow login?

Thanks!

Responses