Bull-eye Jakub, that did the trick. I should have posted for help on the mailing list sooner. Thanks you so much, you are saving my ass.
It makes sense to increase the krb5_auth_timeout as my AD domain controllers servers are worldwide. Currently they exist in 3 regions: North America, Europe and Asia. The weird thing is it seems that when a linux host try to authenticate against my AD, it just randomly select an AD DC from the _kerberos SRV records. Normally, on the windows side, if "sites and services" are setup correctly with subnet defined and binded to sites, a windows client shouldn't try to authenticate against an AD DC that isn't local to his site. This mechanism doesn't seem to apply to my linux hosts. Is it because it's only available for windows hosts ? Is there another way to force linux clients to authenticate against AD DC local to their site ? For now, I set the krb5_auth_timeout to 120 seconds. I had to completely stop sssd and start it again. A colleague mentioned that sssd has a known issue with restart apparently. Also, I'm curious about ports requirements. Going from linux hosts to AD, I only authorize 88 TCP/UDP. I believe that's all I need. Thanks, Alex On Jul 27, 2017 04:08, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote: > On Thu, Jul 27, 2017 at 02:34:06AM -0400, Alexandre Pitre via > FreeIPA-users wrote: > > I uploaded krb5_child.log and ldap_child.log to > > https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD > > I think the child just times out during TGT validation, see: > (Thu Jul 27 06:01:20 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135280.837647: Sending > request (2132 bytes) to AD.COM > (Thu Jul 27 06:01:20 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135280.838622: Resolving > hostname RO1-INF-ADS-002.ad.com. > (Thu Jul 27 06:01:20 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135280.839154: Sending > initial UDP request to dgram 10.248.40.11:88 > (Thu Jul 27 06:01:21 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135281.840215: Resolving > hostname ns1-inf-ads-001.ad.com. > (Thu Jul 27 06:01:21 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135281.841223: Sending > initial UDP request to dgram 10.3.200.10:88 > (Thu Jul 27 06:01:22 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135282.842291: Resolving > hostname inf-p-sy2-ad-01.ad.com. > (Thu Jul 27 06:01:22 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135282.843245: Sending > initial UDP request to dgram 192.168.1.10:88 > (Thu Jul 27 06:01:23 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135283.844311: Resolving > hostname inf-p-sy2-ad-02.ad.com. > (Thu Jul 27 06:01:23 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135283.845251: Sending > initial UDP request to dgram 192.168.1.11:88 > (Thu Jul 27 06:01:24 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135284.846318: Resolving > hostname RO1-INF-ADS-001.ad.com. > (Thu Jul 27 06:01:24 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135284.847243: Sending > initial UDP request to dgram 10.248.40.10:88 > (Thu Jul 27 06:01:25 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135285.848311: Resolving > hostname ns1-inf-ads-002.ad.com. > (Thu Jul 27 06:01:25 2017) [[sssd[krb5_child[2765]]]] > [sss_child_krb5_trace_cb] (0x4000): [2765] 1501135285.849256: Sending > initial UDP request to dgram 10.3.200.11:88 > > (This is the last message from PID 2765, so it was probably killed) > > If the servers are reachable you can just increase the krb5_child timeout > in sssd.conf.. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
