Learn more about these different git repos.
Other Git URLs
Currently sssd records in a client session if an online initgroups() call was already done and does not run a second online call if the last one falls in a timeout.
sshd and maybe other services uses two different PAM sessions, one for authentication and authorization and a second one for the session setup. Form the sssd perspective these are two different client sessions and two online initgroups() calls are preformed for a single ssh connection. As far as I know it is not possible to to related the two PAM session.
To improve the performance here I would like to suggest to save the time of the last initgroups() call for a user not only in the client context, but additionally in a global context. This way critical task like authentication, access control and maybe password changes can still check the timeout of the client context to make sure the initgroups() is at least done once online with this session is run. Other task can check the global timeout and can use that data which is stored by other sessions if it is not too old.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.8.0
milestone: SSSD 1.8.0 => SSSD 1.7.0
owner: somebody => jhrozek
owner: jhrozek => jzeleny
owner: jzeleny => sgallagh
blockedby: => blocking: => patch: 0 => 1
status: new => assigned
Fixed by d844aab
resolution: => fixed status: assigned => closed
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=743133
rhbz: => 0
Metadata Update from @sbose: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.7.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2105
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.