>----- Oorspronkelijk bericht ----- >Van: "Alexander Bokovoy" <aboko...@redhat.com> >Aan: "Bobby Prins" <bobby.pr...@proxy.nl> >Cc: d...@redhat.com, freeipa-users@redhat.com >Verzonden: Maandag 23 maart 2015 16:44:47 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >... > >Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access >and sssd logs from IPA master (with debug_level = 10) at least in >[domain], [nss], and [pam] sections. > >You need to filter dirsrv logs by connection coming from AIX IP address >and then by conn=<number> where number is the same number as the one >with IP address line. > >When authenticating, AIX would talk to IPA LDAP server to compat tree >and slapi-nis plugin which serves compat tree would do PAM >authentication as service system-auth where SSSD on IPA master will do >the actual authentication work. > >-- >/ Alexander Bokovoy
Here you can see the DS connection from AIX: [24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from 192.168.140.107 to 192.168.140.133 [24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND dn="uid=bpr...@example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" method=128 version=3 [24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=24 dn="uid=bpr...@example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" [24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1 As you can see it also takes quite some time to process the login. Could that be a problem? The SSSD log files are a bit large with debug_level set to 10 and it will take me some time to strip all customer data from it. Any log events in particular you would like to see? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project