On Thu, Feb 04, 2016 at 01:15:17PM -0600, Alan P wrote:
> Hi, 
> 
> I just configured a trust between an IPA and an Active Directory to 
> authenticate IPA users in Windows machines joined in AD domain. The login is 
> successfull, but only after several minutes (nearly 25 minutes) in the first 
> attempt; in the next attempts, the required time goes from 5 to 10 min. So, 
> what can I do to reduce the time to something more acceptable? (For 
> reference, when an AD user authenticates it only takes 10 seconds or less).
> 
> My environment is:
> 
> IPA server 4.2.0-15 in a RHEL 7.2
> IPA domain is a subdomain of AD (like ad.example.com and ipa.ad.example.com)
> There are, right now, a few users but is planed to manage more than 10,000
> The trust was configured as "two way"
> 
> AD is in a Windows Server 2012
> It has the root domain
> I  made a domain delegation, so AD is authoritative for ad.example.com and 
> IPA, for ipa.ad.example.com
> All windows client machines are joined here
> There are a few users, but they are only for test purposes
> 
> The authentication in a windows client is:
> user: IPA.AD.EXAMPLE.COM\ipa.user
> pass: ipa user pass
> 
> >From IPA console I can make kinit user...@ad.example.com with no problem.

Please see:
    
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/

We're working on sssd performance fixes for the next version (1.14, will
be in RHEL-7.3)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to