On 25/08/2022 19:06, Ranbir via FreeIPA-users wrote:
On Thu, 2022-08-25 at 18:44 +0100, Sam Morris via FreeIPA-users wrote:
I thought krb5-pkinit is only needed if you want to use PKINIT? sssd
uses the host/$HOSTNAME principal to establish a FAST channel for
pre-authentication, so I don't see how krb5-pkinit affects things?
My goal there was to just get rid of the error. We're not using
smartcards so it didn't really matter that an error for the missing
shared library was recorded. It's hard to tell when an error in the log
is actually just informational or causing other real problems.
I thought 'services = pac' was the default in Debian & that Ubuntu
would
inherit this?
On a fresh Ubuntu 22 host after installing freeipa-client and enrolling
it into freeipa, the services line that gets added to sssd.conf
contains more than just "pac". That in and of itself is a problem in
Ubuntu because the sockets for the responders are enabled by default.
After figuring out why I was seeing startup errors in the journal, I
nuked the whole line. But, that broke the pac responder and I didn't
catch that until a couple of days ago.
Interesting. After installing sssd on a fresh system there isn't an
/etc/sssd/sssd.conf file. I guess ipa-client-install ultimately needs to
make sure it's not enabling services that are already enabled via socket
activation. Then again I don't know if having duplicates of these
responders is actaully causing a problem or whether it just results in a
bit of wasted memory and extra log messages.
I did try socket-activating the pac responder, but I found that sssd
would always launch its own pac responder in addition to the
socket-activated one, so sssd-pac.socket is left disabled by default.
Yes, that's what I ended up doing a couple of days ago.
This could be caused by Ubuntu's extremely annoying login script that
looks up every member of every AD group that you're a member of when
you
log in.
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1863894
Apply my modification to my script or just disable it and see if your
logins are any quicker.
Ah, that explains why I was seeing in the logs every single user of
every group being looked up. I was trying to figure out why Ubuntu was
doing that. I surmised it had to do with some customization in Ubuntu's
login procedure. I just didn't know where to look.
Thank you for that tip. I'll give your changes a shot.
No problem. Ubuntu's login script is really idiotic and caused no end of
pain for me & my users. But it seems no one is reading the bug reports...
You'll also want to tell sssd to not include group members when group
info is looking up--that tweak also makes a huge difference the 1st time
a user logs in. You want:
ignore_group_members = true
subdomain_inherit = ignore_group_members
See
<https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/>
for more info.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
