You are correct, debugging was only specified in the [domain/...] section. I have enabled for nss and gathered logs again. The client and server times are indeed in sync.
I initiated my login attempt at approximately 10:16:30. At approximately 10:17:10 I was presented with a prompt to enter my password. After entering my password I was again presented with a password prompt. After entering multiple times with no success I waited and eventually the connection attempt timed out. Server Logs for this attempt https://privatebin.net/?74adb14729c459fc#EhqWm6x2LVgfnL7iAmLZDFh3TtXpwgsH9wjUfWQYrGyS Client Logs for this attempt https://privatebin.net/?1d3532466812bef2#C6ECF2RnRMEXVi7HGLd8iYvhoSmEw2uRs88neb2MG3RQ It seems like a considerable amount of time is spent searching the AD groups a user is a member of. For testing purposes, an AD account was created that is not a member of any groups. This user was able to successfully log in. What additional steps should be taken to account for AD's where users are members of many groups? To add to the complexity, many of these groups are nested. I've reviewed this document (https://access.redhat.com/articles/2133801) and spent time adjusting parameters with little success. The sssd.conf on both client and server include the following in the [domain/...] section: subdomain_inherit = ignore_group_members ignore_group_members = True Should these be placed somewhere else instead? Are there other options that should be set to account for large numbers of nested AD groups? Thank you Heidi -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
