Hi, On Fri, Sep 9, 2022 at 6:51 AM Ranbir via FreeIPA-users < [email protected]> wrote:
> Hi Everyone, > > I've been tweaking sssd.conf configs on the masters and clients in my > AlmaLinux 9 IdM domain (it's in a trust with AD, too). Sometimes it's > easy to tell when a particular option belongs on the master or on the > client or on both. Most of the time though, I don't know for sure when > to put a parameter in the masters' sssd.conf instead of in the > client's. The man page for sssd.conf doesn't usually make it clear > either. > > For example, I'm playing around with the cache timeouts. I've done the > tweaks on the client side since the cache is local to the client. Thus, > I figured setting the timeouts on the client is appropriate. However, I > still wonder: if the same settings were on the masters instead, > wouldn't the masters then return results much faster to the client? > > Here's what one Ubuntu 20's sssd.conf looks like right now: > > > [domain/idm.tld.com] > id_provider = ipa > dns_discovery_domain = idm.tld.com > ipa_server = _srv_, p1idma01.idm.tld.com > ipa_domain = idm.tld.com > ipa_hostname = gitlab.tld.com > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_store_password_if_offline = True > pwd_expiration_warning = 14 > selinux_provider = none > lookup_family_order = ipv4_only > sudo_provider = ipa > autofs_provider = ipa > subdomains_provider = ipa > session_provider = ipa > hostid_provider = ipa > ipa_automount_location = ala > > [domain/idm.tld.com/corp.ad.tld.com] > ad_site = ala > > [domain/corp.ad.tld.com] > entry_cache_timeout = 43200 > entry_cache_service_timeout = 5400 > entry_cache_computer_timeout = 5400 > lookup_family_order = ipv4_only > > [sssd] > domains = idm.tld.com > default_domain_suffix = corp.ad.tld.com > > [nss] > cache_first = True > default_shell = /bin/bash > enum_cache_timeout = 3600 > entry_negative_timeout = 360 > memcache_timeout = 3600 > > [pam] > cache_first = True > > [sudo] > cache_first = True > > [autofs] > cache_first = True > autofs_negative_timeout = 3600 > > [ssh] > > [pac] > cache_first = True > pac_lifetime = 3600 > > [ifp] > > [secrets] > > [session_recording] > > > How do we find out when the parameters should be set on the master > instead of the client? Is the determining factor to decide if we want a > "domain wide" setting instead of per client? If so, how do I know which > paramter is better suited to be set "domain wide"? > > I'm sorry if this is obvious to others. But, it's never been 100% clear > to me (except in some cases). > > Are you aware of the following guide: *Tuning performance in Identity Management* [1] ? It contains a chapter that may help clarify settings to apply on servers vs clients: *Tuning SSSD performance for large IdM-AD trust deployments* [2]. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/tuning_performance_in_identity_management/index [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/tuning_performance_in_identity_management/assembly_tuning-sssd-performance-for-large-idm-ad-trust-deployments_tuning-performance-in-idm > -- > Ranbir > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
