You are correct, debugging was only specified in the [domain/...] section.  I 
have enabled for nss and gathered logs again.  The client and server times are 
indeed in sync.

I initiated my login attempt at approximately 10:16:30.  At approximately 
10:17:10 I was presented with a prompt to enter my password.  After entering my 
password I was again presented with a password prompt.  After entering multiple 
times with no success I waited and eventually the connection attempt timed out. 
 

Server Logs for this attempt
https://privatebin.net/?74adb14729c459fc#EhqWm6x2LVgfnL7iAmLZDFh3TtXpwgsH9wjUfWQYrGyS
Client Logs for this attempt
https://privatebin.net/?1d3532466812bef2#C6ECF2RnRMEXVi7HGLd8iYvhoSmEw2uRs88neb2MG3RQ

It seems like a considerable amount of time is spent searching the AD groups a 
user is a member of.  For testing purposes, an AD account was created that is 
not a member of any groups.  This user was able to successfully log in.  What 
additional steps should be taken to account for AD's where users are members of 
many groups?  To add to the complexity, many of these groups are nested.  

I've reviewed this document (https://access.redhat.com/articles/2133801) and 
spent time adjusting parameters with little success.

The sssd.conf on both client and server include the following in the 
[domain/...] section:

subdomain_inherit = ignore_group_members
ignore_group_members = True

Should these be placed somewhere else instead? Are there other options that 
should be set to account for large numbers of nested AD groups?

Thank you
Heidi
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to