sssd equivilent of nss_ldap nss_getgrent_skipmembers

Solution Unverified - Updated -

Issue

How do I make sssd not look up the members of groups, but just perform a gid<->name mapping as was possible with nss_ldap?

Also, it seems any other lookups are blocked while the long running query for the group membership is performed, resulting in timeouts and failed lookups.

Our groups with many members take ridiculously long to resolve:

# time getent group members
[...]
real    1m29.589s
user    0m0.006s
sys     0m0.003s

# time getent group students
[...]
real    0m44.735s
user    0m0.007s
sys     0m0.002s

And people in those group are severely impacted:

# time id -a cpcrudo
[...]
real    2m14.719s

Environment

  • Red Hat Enterprise Linux 6
  • sssd 1.8/1.9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.