> On 4 Aug 2017, at 23:08, Alexandre Pitre via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> Turns out, I'm still getting the same problem. It works right away after I 
> force clean the sssd cache: systemctl stop sssd ; rm -f /var/lib/sss/db/* 
> /var/log/sssd/* ; systemctl start sssd
> 
> After some time, trying to log back on the same system I see the login prompt 
> is much quicker when I type adu...@ad.com <mailto:adu...@ad.com>
> Instead of getting a simple "Password:" prompt  I get adu...@ad.com 
> <mailto:adu...@ad.com>@centos.domain.ad.com <http://centos.domain.ad.com/>'s 
> password.
> 
> If I login as root and stop/start and clean the sssd cache, it start working 
> again.
> 

Are you sure cleaning the cache is needed? Because I think your issue is 
different. The fact that you get a faster login prompt and the “Server not 
found…” message both point to the sssd going offline.

You could run ‘sssctl domain-status’ to show if the domain is online or offline 
(requires the ‘ifp’ service to be enabled until RHEL-7.4/upstream 1.15.x) or 
look into the logs for messages like “Going offline”.

> /var/log/messages is filled with:
> 
> centos sssd_be: GSSAPI Error: Unspecified GSS failure.  Minor code may 
> provide more information (Server krbtgt/ad....@ipa.ad.com 
> <mailto:ad....@ipa.ad.com> not found in Kerberos database)

This is the trust principal. Are you sure all your replicas are either trust 
agents or you ran “ipa-adtrust-install” on them?

> 
> 
> Any thoughts ?
> 
> Thanks,
> Alex
> 
> 
> On Tue, Aug 1, 2017 at 2:58 AM, Jakub Hrozek <jhro...@redhat.com 
> <mailto:jhro...@redhat.com>> wrote:
> On Mon, Jul 31, 2017 at 05:47:11PM -0400, Alexandre Pitre wrote:
> > Bull-eye Jakub, that did the trick. I should have posted for help on the
> > mailing list sooner. Thanks you so much, you are saving my ass.
> >
> > It makes sense to increase the krb5_auth_timeout as my AD domain
> > controllers servers are worldwide. Currently they exist in 3 regions: North
> > America, Europe and Asia.
> >
> > The weird thing is it seems that when a linux host try to authenticate
> > against my AD, it just randomly select an AD DC from the _kerberos  SRV
> > records. Normally, on the windows side, if "sites and services" are setup
> > correctly with subnet defined and binded to sites, a windows client
> > shouldn't try to authenticate against an AD DC that isn't local to his
> > site. This mechanism doesn't  seem to apply to my linux hosts. Is it
> > because it's only available for windows hosts ? Is there another way to
> > force linux clients to authenticate against AD DC local to their site ?
> 
> We haven't implemented the site selection for the clients yet, only for
> servers, see:
>     https://bugzilla.redhat.com/show_bug.cgi?id=1416528 
> <https://bugzilla.redhat.com/show_bug.cgi?id=1416528>
> 
> >
> > For now, I set the krb5_auth_timeout to 120 seconds. I had to completely
> > stop sssd and start it again. A colleague mentioned that sssd has a known
> > issue with restart apparently.
> 
> I'm not aware of any such issue..
> 
> >
> > Also, I'm curious about ports requirements. Going from linux hosts to AD, I
> > only authorize 88 TCP/UDP. I believe that's all I need.
> 
> Yes, from the clients, that should be enough. The servers need more
> ports open:
>     
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports
>  
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports>
> 
> 
> 
> -- 
> Alexandre Pitre
> alexandre.pi...@gmail.com <mailto:alexandre.pi...@gmail.com>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to