Filter groups that SSSD receives from AD server

user7037

3/28/24, 3:30 PM

We've got two Ubuntu 22.04 servers that use Kerberos and SSSD to authenticate users against an AD server. This works great.

The servers also have a GlusterFS volume that holds the user's home directories. In principal, this works great also. Unless a user is member of more than 90 groups. Then GlusterFS has all sorts of problems: https://docs.gluster.org/en/main/Administrator-Guide/Handling-of-users-with-many-groups/

I've used the workarounds that are available but at the expense of a lot of performance. (the glusterfsd and glusterfs processes use about 1 & 3/4 cores during high activity compared to 80% of one core without the workarounds)

My question is: is there a way to filter the groups that the system receives from AD such that when I run 'id USERID' I'll only see zero or more groups that I've specified in a filter or list? There are only three groups I use for SSH authorization. Most users have 100+ groups(It's a university AD server that I don't have control over).

223

1 + 3

linux

active-directory

glusterfs

sssd

doneal24

3/28/24, 4:00 PM

Do all of the groups provided by AD need to have POSIX attributes assigned? If the group does not have a gid then the group is ignored by the Ubuntu server. You may not have control of the AD server but the AD administrators may be willing to work with you on this solution.

user7037

3/28/24, 4:06 PM

@doneal24 The AD server cluster is the central account authority for the university. We are just one department. I am sure they will not make any structural changes for us.

doneal24

3/28/24, 4:39 PM

The central IT at a largish university I worked at in a previous life made changes on my request. If the groups don't need gids then they may be open to the change. It never hurts to ask.

Score:0

Server

sborsky

3/28/24, 8:43 PM

The ldap_group_search_base sssd.conf parameter optionally accepts an LDAP filter.

Example:

ldap_group_search_base = ou=groups,dc=example,dc=com?subtree?(cn=ssh_access)

More details are in the sssd-ldap man page.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Filter groups that SSSD receives from AD server

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.