#1063 Improve initgroups() performance for ssh and similar services
Closed: Fixed None Opened 9 years ago by sbose.

Currently sssd records in a client session if an online initgroups() call was already done and does not run a second online call if the last one falls in a timeout.

sshd and maybe other services uses two different PAM sessions, one for authentication and authorization and a second one for the session setup. Form the sssd perspective these are two different client sessions and two online initgroups() calls are preformed for a single ssh connection. As far as I know it is not possible to to related the two PAM session.

To improve the performance here I would like to suggest to save the time of the last initgroups() call for a user not only in the client context, but additionally in a global context. This way critical task like authentication, access control and maybe password changes can still check the timeout of the client context to make sure the initgroups() is at least done once online with this session is run. Other task can check the global timeout and can use that data which is stored by other sessions if it is not too old.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.8.0

Fields changed

milestone: SSSD 1.8.0 => SSSD 1.7.0

Fields changed

owner: somebody => jhrozek

Fields changed

owner: jhrozek => jzeleny

Fields changed

owner: jzeleny => sgallagh

Fields changed

blockedby: =>
blocking: =>
patch: 0 => 1

Fields changed

status: new => assigned

Fixed by d844aab

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

Metadata Update from @sbose:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.7.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2105

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.