Currently sssd records in a client session if an online initgroups() call was already done and does not run a second online call if the last one falls in a timeout.
sshd and maybe other services uses two different PAM sessions, one for authentication and authorization and a second one for the session setup. Form the sssd perspective these are two different client sessions and two online initgroups() calls are preformed for a single ssh connection. As far as I know it is not possible to to related the two PAM session.
To improve the performance here I would like to suggest to save the time of the last initgroups() call for a user not only in the client context, but additionally in a global context. This way critical task like authentication, access control and maybe password changes can still check the timeout of the client context to make sure the initgroups() is at least done once online with this session is run. Other task can check the global timeout and can use that data which is stored by other sessions if it is not too old.
milestone: NEEDS_TRIAGE => SSSD 1.8.0
milestone: SSSD 1.8.0 => SSSD 1.7.0
owner: somebody => jhrozek
owner: jhrozek => jzeleny
owner: jzeleny => sgallagh
patch: 0 => 1
status: new => assigned
Fixed by d844aab866ae237844360cea70e2dccdc90c783d
resolution: => fixed
status: assigned => closed
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=743133
rhbz: => 0
Metadata Update from @sbose:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.7.0
to comment on this ticket.
Copyright © 2014-2017 Red Hat
2.13.2 — Documentation