On Thu, Jun 07, 2018 at 03:48:16PM -0000, Bart via FreeIPA-users wrote: > Thank you Alexander, that was the root cause. I added optimizations to my > setup that you together with Jakub described in this article: > https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ > and things started working on the client side.
This still points to a performance-like issue. From some related customer cases I've been working on lately I remember that increasing the negative timeout (entry_negative_timeout, set this to minutes or even hours) and also the cache_first=true options made a difference. There's a tradeoff though with these options, please see the man pages. > > There is a one small glitch though. Upon a first getent passwd for a new user > (one that I didn't issue getent before) executed on a client it most likely > still times out. I can see that there is some communication on FreeIPA > servers going on (judging by the log file /var/log/sssd/sssd_ipa.domain.log). > getent command times out but entries in the log file keep on being added. > When the log entries stop from being added anymore and I issue the same > getent command then it succeeds. > > Could you please point me to the timeout parameter that would allow to fix > this, if there is any? > For a reference I paste my client/server sssd configs: > > server: > > [domain/ipa.domain] > debug_level = 9 > id_provider = ipa > ipa_server_mode = True > ipa_server = ipa-server.ipa.domain > ipa_domain = ipa.domain > ipa_hostname = ipa-server.ipa.domain > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_store_password_if_offline = True > > enumerate = False > subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout > ignore_group_members = True > ldap_purge_cache_timeout = 0 > > [sssd] > services = nss, pam, ifp, ssh, sudo > ignore_group_members=True > > domains = ipa.domain > enumerate = False > ldap_use_tokengroups = false Please don't disable tokengroups unless you have a verified reason to do so (this is just a general warning, I'm not even sure if disabling tokengroups in the main domain section would disable them for the AD subdomain). > [nss] > homedir_substring = /home > memcache_timeout = 600 > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > [secrets] > > [session_recording] > > ---- > client: > > [domain/ipa.domain] > enumerate = False > debug_level=9 > cache_credentials = True > krb5_store_password_if_offline = True > > ipa_domain = ipa.domain > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa-client-centos6.shec.hrs.cc > chpass_provider = ipa > ipa_server = ipa-server.ipa.domain > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_auth_timeout = 3600 > [sssd] > services = nss, sudo, pam, ssh > > domains = ipa.domain > [nss] > homedir_substring = /home > > [pam] > pam_id_timeout = 3600 > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LJGAGZ4FAAKIFJD723NBFCKZNBADEBL4/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VDWTJCFA3SMAWERJQPRLF62ONGPB5XAC/