CentOS 7 sssd with AD – getent passwd slow in response

active-directorycentos7sssd

CentOS 7 + SSSD + AD

AD user is created through bash script. To confirm the AD user account is created I am using getent passwd <username>. It is not returning the user account created in AD immediately, but it is returning the user account after a minute or so when using the same getent passwd <username>.

Is there any config parameter to change in sssd.conf?

Best Answer

This is expected, enumerating all users and storing them to the cache (with enumerate=True) is expensive and runs only periodically.

Running getent passwd $username should yield the user immediatelly, though.

Related Solutions

Linux – vsFTPd authenticating with SSSD

I first checked the shell settings and added the following line to my /etc/sss/sssd.conf:

[domain/example.org]
override_shell = /sbin/rbash

but this didn't solve the problem.

After commenting out the line

account  [default=bad success=ok user_unknown=ignore]  pam_sss.so

in /etc/pam.d/common-auth active directory users can login with their AD account.

But this setting affects more login services than just vsftpd. So I removed the comment from that line (going back to the original version) and changed vsftpd'd pam configuration instead:

/etc/pam.d/vsftpd:

# Standard behaviour for ftpd(8).
auth  required   pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.

# Standard pam includes

##@include common-account
account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so 
account requisite      pam_deny.so
account required       pam_permit.so
account sufficient     pam_localuser.so 

@include common-session
@include common-auth
auth    required       pam_shells.so

Ldap – Filter getent passwd output with SSSD

The only option to achieve this is to create an LDAP filter string to be used by the ldap_user_search_base config parameter (syntax: search_base[?scope?[filter][?search_base?scope?[filter]]*]).

This must be a valid RFC 2254 filter, and will likely somehow incorporate your ldap_access_filter into the ldap_user_search_base.

The reason for this is that applying the access filter is a second step after checking if an account exists, which will not be done by getent.

Best Answer

Related Solutions

Linux – vsFTPd authenticating with SSSD

Ldap – Filter getent passwd output with SSSD

Related Topic