[Samba] please confirm: sssd not a good idea :)

Goetz, Patrick G pgoetz at math.utexas.edu
Wed Jun 12 16:55:28 UTC 2019

On 6/12/19 4:44 AM, Nico Kadel-Garcia via samba wrote:
> sssd has other problems. I've worked with it in the last year. It has
> a variety of under-documented, complexly interwoven subdaemons whose
> configurations are centalized, erratically and often require
> hand-tuning, in the sssd.conf settings. It also has a *nasty* behavior
> with AD or SSSD: it pre-caches *everything* from the LDAP directories
> it is pointed to, and I mean *everything*. Its configuration supports
> structures that only search "onelevel" in an LDAP directory, but when
> designating this it precaches the entire LDAP directory containing the
> "onelevel" objects at startup time, with no way I ever found to turn
> off this misfeature. Hilarity ensues if if your LDAP server, whether
> Samba or AD, are not close enough to the clien thost. And if your LDAP
> is big, that local cache gets *bulky*, even if the "onelevel"
> published objects only contain one element Now, some of that may be an
> organizatonal issue, but it surprised the heck out of me. The result
> is that sssd daemons start up, you can log in with the credentials for
> the first few minutes, but then they fail and take down *all* the sssd
> subdaemons, and you LDAP based access.

What version of sssd are you using?  The evolution of sssd has been 
pretty dramatic.  In particular, I haven't seen any of this, and our AD 
domain almost certainly includes a million user accounts, at this point 
(not sure what constitutes "big" in this context.

Regarding under documentation of the subdaemons, I'm not following.

    man sssd-ldap

provide a fairly substantial amount of information.

More information about the samba mailing list