Hello, I'm unable to ssh as an AD user to a freeipa client. I am, however able to ssh as an AD user to a freeipa server. I can also ssh to a freeipa client AND server using a FreeIPA account. Our IPA domain (ipa.subdomain.contoso.com) is set up with a one-way trust with ad.contoso.com. Our AD is on the larger side with 400,000+ user accounts.
An ldbsearch on the client cache file returns 42 records, the same search on the server cache returns 113551 records. Searching for a specific user; ldbsearch -H /var/lib/sss/db/cache_ipa.subdomain.contoso.com.ldb '([email protected])' returns zero records on the freeipa client and 1 record on the freeipa server. Dig commands (dig -t SRV _ldap._tcp.ipa.subdomain.contoso.com and dig -t SRV _ldap._tcp.ad.contoso.com) also return expected results. server:sssd.conf https://privatebin.net/?42cff7bd431068d7#FmeM5p3R88U9oQd98UvoaVHZ3PzeZTGvS5VHxvGtorf client:sssd.conf https://privatebin.net/?d4f20faca95236f4#D8WtjwDMaAB932W66YMgW5HtXkdfez1Ht1vzWa9FwnR I'm not sure what to key in on in the SSSD logs to identify what's going wrong here and how to resolve it. I've attempted to fiddle with multiple timeout settings, but haven't identified the right ones. I do see SSSD is reported as offline and this very much feels like a communication issue. I have uploaded sanitized SSSD logs from rl9-ipa-client1.in.subdomain.contoso.com and freeipa2.ipa.subdomain.contoso.com for a failed login attempt at the following: https://privatebin.net/?1028b6754421174b#DDDuthsRbLjxt4rS1mr263MmJ2qjhLgLHpyYZJYxLUXC Thanks, Heidi -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
