Am Wed, Dec 13, 2023 at 11:49:00PM +0000 schrieb Ostrom, Erik via FreeIPA-users:
> Hi,
>
> I'm having some issues ssh'ing as an AD user to a freeipa client, but I can
> successfully ssh as the same user to the IPA master.
> Our IPA domain, ipa.subdomain.contoso.com, is set up with a one-way trust
> with ad.contoso.com (IPA trusts ADs users). I have the standard "allow all"
> HBAC rule in place on FreeIPA for testing purposes. ad.contoso.com is a
> relatively huge AD, with over 400,000 user accounts.
>
> ssh [email protected] --- (IPA user to FreeIPA
> master), works
> ssh [email protected]@freeipa1.ipa.subdomain.contoso.com --- (AD user to
> FreeIPA master), works
> ssh [email protected] --- (IPA user to
> FreeIPA client), works
> ssh [email protected]@rl9-ipa-client1.in.subdomain.contoso.com --- (AD
> user to FreeIPA client), doesn't work
>
> I'm not sure what to look at in the SSSD logs to see what's going wrong here.
> I have uploaded sanitized SSSD logs from
> rl9-ipa-client1.in.subdomain.contoso.com for a failed login attempt (listed
> above as not working) at the following
> link:https://privatebin.net/?55e82c73463ae145#A59jSajU1ZwEwr3nEKhPqsT8Um4QXqHhQ2duiH19gdU
Hi,
according to the logs, the IPA server needs too much time to prepare the
data of the AD user which the client requested.
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]]
[ipa_s2n_get_acct_info_send] (0x0400): [RID#229] Sending request_type:
[REQ_FULL_WITH_MEMBERS] for trust user [erik-ad] to IPA server
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [ipa_s2n_exop_send]
(0x0400): [RID#229] Executing extended operation
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [ipa_s2n_exop_send]
(0x2000): [RID#229] ldap_extended_operation sent, msgid = 41
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_op_add] (0x2000):
[RID#229] New operation 41 timeout 6
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_process_result]
(0x2000): Trace: sh[0x55e456f262f0], connected[1], ops[0x55e456efac80],
ldap[0x55e455ed5310]
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(2023-12-12 16:31:19): [be[ipa.subdomain.contoso.com]] [sdap_op_timeout]
(0x1000): [RID#229] Issuing timeout [ldap_opt_timeout] for message id 41
Typically this means that the server has to refresh some or all cached
data of the user, which in this case will include all group-memberships
and for some technical reasons this means refreshing all related
expired groups and their members.
At least for the group members this can be speed up by setting
ignore_group_members = True
subdomain_inherit = ignore_group_members
in the [domain/...] section on IPA servers and clients.
Another option is to set
refresh_expired_interval = 4000
in the [domain/...] sections on the IPA servers to make sure that SSSD
will try every 4000s to refresh cached entries which are about to
expire. As a result the IPA servers should be able to always reply to
request form IPA client with cached data without the need to refresh it.
HTH
bye,
Sumit
>
> If anyone can tell what my issue is here, or if other logs would be helpful
> let me know. I appreciate the help!
>
> Thanks,
> Erik
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
