0

We've got two Ubuntu 22.04 servers that use Kerberos and SSSD to authenticate users against an AD server. This works great.

The servers also have a GlusterFS volume that holds the user's home directories. In principal, this works great also. Unless a user is member of more than 90 groups. Then GlusterFS has all sorts of problems: https://docs.gluster.org/en/main/Administrator-Guide/Handling-of-users-with-many-groups/

I've used the workarounds that are available but at the expense of a lot of performance. (the glusterfsd and glusterfs processes use about 1 & 3/4 cores during high activity compared to 80% of one core without the workarounds)

My question is: is there a way to filter the groups that the system receives from AD such that when I run 'id USERID' I'll only see zero or more groups that I've specified in a filter or list? There are only three groups I use for SSH authorization. Most users have 100+ groups(It's a university AD server that I don't have control over).

user7037
  • 1
  • Do all of the groups provided by AD need to have POSIX attributes assigned? If the group does not have a gid then the group is ignored by the Ubuntu server. You may not have control of the AD server but the AD administrators may be willing to work with you on this solution. – doneal24 Mar 28 '23 at 16:00
  • @doneal24 The AD server cluster is the central account authority for the university. We are just one department. I am sure they will not make any structural changes for us. – user7037 Mar 28 '23 at 16:06
  • The central IT at a largish university I worked at in a previous life made changes on my request. If the groups don't need gids then they may be open to the change. It never hurts to ask. – doneal24 Mar 28 '23 at 16:39

1 Answers1

0

The ldap_group_search_base sssd.conf parameter optionally accepts an LDAP filter.

Example:

ldap_group_search_base = ou=groups,dc=example,dc=com?subtree?(cn=ssh_access)

More details are in the sssd-ldap man page.

sborsky
  • 315
  • 1
  • 6