>----- Oorspronkelijk bericht -----
>Van: "Dmitri Pal" <d...@redhat.com>
>Aan: "Bobby Prins" <bobby.pr...@proxy.nl>, "Alexander Bokovoy" 
>Cc: freeipa-users@redhat.com
>Verzonden: Dinsdag 24 maart 2015 14:44:42
>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
>On 03/24/2015 09:01 AM, Bobby Prins wrote:
>>> ----- Oorspronkelijk bericht -----
>>> Van: "Alexander Bokovoy" <aboko...@redhat.com>
>>> Aan: "Bobby Prins" <bobby.pr...@proxy.nl>
>>> Cc: d...@redhat.com, freeipa-users@redhat.com
>>> Verzonden: Maandag 23 maart 2015 16:44:47
>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
>>> ipa_server_mode
>>> ...
>>> Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access
>>> and sssd logs from IPA master (with debug_level = 10) at least in
>>> [domain], [nss], and [pam] sections.
>>> You need to filter dirsrv logs by connection coming from AIX IP address
>>> and then by conn=<number> where number is the same number as the one
>>> with IP address line.
>>> When authenticating, AIX would talk to IPA LDAP server to compat tree
>>> and slapi-nis plugin which serves compat tree would do PAM
>>> authentication as service system-auth where SSSD on IPA master will do
>>> the actual authentication work.
>>> -- 
>>> / Alexander Bokovoy
>> Here you can see the DS connection from AIX:
>> [24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from 
>> to
>> [24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND 
>> dn="uid=bpr...@example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" 
>> method=128 version=3
>> [24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 
>> etime=24 
>> dn="uid=bpr...@example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp"
>> [24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1
>> As you can see it also takes quite some time to process the login. Could 
>> that be a problem?
>> The SSSD log files are a bit large with debug_level set to 10 and it will 
>> take me some time to strip all customer data from it. Any log events in 
>> particular you would like to see?
>Does the user that you use (bpr...@example.corp) is a member of many 
>large groups?
>Thank you,
>Dmitri Pal
>Sr. Engineering Manager IdM portfolio
>Red Hat, Inc.

53 groups in total ranging from groups with only a couple of users to groups 
with multiple hundreds of users.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to