Loic SARRAZIN
Systems Engineer
Hello,
Running on AIX 7.1 or AIX 7.2 here is the context:
- ypbind is running to permit NIS authentication, identification is done with NIS table auto.home.
This work fine and could not be changed yet. Tests where done with su or ssh.
- When a user try connecting, and this user is absent from auto.home (for instance a pure local user) the connection lasts for several seconds (up to 30 sec). This could lead to timeout.
- A user locally defined in /etc/passwd AND in auto.home is quickly connected. The uid in /etc/passwd and in auto.home could even be different, it is quickly connected! Only the username is relevent.
- I've tried to change /etc/security/user to force SYSTEM=files and registry=files, but the behavior was the same (former set to "compat OR LDAP")
Using truss, i've seen that when a domainname is spotted, all the auto.home table is read. The seek stops when a username is found, and it is the reason it's quicker when a local user is also defined in auto.home.
- I've tried to connect through PAM, but the behavior was the same. Not worse nor better.
- Of course, stopping ypbind, stops also this strange behavior.
Does anybody know how to avoid to read the very long (15000 records) auto.home table when a user is locally defined and does not require NIS credentials ?
Thank you
Running on AIX 7.1 or AIX 7.2 here is the context:
- ypbind is running to permit NIS authentication, identification is done with NIS table auto.home.
This work fine and could not be changed yet. Tests where done with su or ssh.
- When a user try connecting, and this user is absent from auto.home (for instance a pure local user) the connection lasts for several seconds (up to 30 sec). This could lead to timeout.
- A user locally defined in /etc/passwd AND in auto.home is quickly connected. The uid in /etc/passwd and in auto.home could even be different, it is quickly connected! Only the username is relevent.
- I've tried to change /etc/security/user to force SYSTEM=files and registry=files, but the behavior was the same (former set to "compat OR LDAP")
Using truss, i've seen that when a domainname is spotted, all the auto.home table is read. The seek stops when a username is found, and it is the reason it's quicker when a local user is also defined in auto.home.
- I've tried to connect through PAM, but the behavior was the same. Not worse nor better.
- Of course, stopping ypbind, stops also this strange behavior.
Does anybody know how to avoid to read the very long (15000 records) auto.home table when a user is locally defined and does not require NIS credentials ?
Thank you