>----- Oorspronkelijk bericht ----- >Van: "Dmitri Pal" <d...@redhat.com> >Aan: "Bobby Prins" <bobby.pr...@proxy.nl>, "Alexander Bokovoy" ><aboko...@redhat.com> >Cc: email@example.com >Verzonden: Dinsdag 24 maart 2015 14:44:42 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On 03/24/2015 09:01 AM, Bobby Prins wrote: >>> ----- Oorspronkelijk bericht ----- >>> Van: "Alexander Bokovoy" <aboko...@redhat.com> >>> Aan: "Bobby Prins" <bobby.pr...@proxy.nl> >>> Cc: d...@redhat.com, firstname.lastname@example.org >>> Verzonden: Maandag 23 maart 2015 16:44:47 >>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >>> ipa_server_mode >>> >>> ... >>> >>> Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access >>> and sssd logs from IPA master (with debug_level = 10) at least in >>> [domain], [nss], and [pam] sections. >>> >>> You need to filter dirsrv logs by connection coming from AIX IP address >>> and then by conn=<number> where number is the same number as the one >>> with IP address line. >>> >>> When authenticating, AIX would talk to IPA LDAP server to compat tree >>> and slapi-nis plugin which serves compat tree would do PAM >>> authentication as service system-auth where SSSD on IPA master will do >>> the actual authentication work. >>> >>> -- >>> / Alexander Bokovoy >> Here you can see the DS connection from AIX: >> [24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from >> 192.168.140.107 to 192.168.140.133 >> [24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND >> dn="uid=bpr...@example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" >> method=128 version=3 >> [24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 >> etime=24 >> dn="uid=bpr...@example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" >> [24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1 >> >> As you can see it also takes quite some time to process the login. Could >> that be a problem? >> >> The SSSD log files are a bit large with debug_level set to 10 and it will >> take me some time to strip all customer data from it. Any log events in >> particular you would like to see? >Does the user that you use (bpr...@example.corp) is a member of many >large groups? > >-- >Thank you, >Dmitri Pal > >Sr. Engineering Manager IdM portfolio >Red Hat, Inc.
53 groups in total ranging from groups with only a couple of users to groups with multiple hundreds of users. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project