On Mon, 13 Jun 2016, David Fischer wrote:
(Note: versions below)

I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and 
found that it was timing out during ldap scan. I upped the timeout on the 'IPA 
Configuration' tab in the web interface and this solved the 'getent' issue.  
Now I am able to do 'getent' passwd on all users in a sub-ad domain

My new problem is that I am now unable to use password to login.  If I grab a 
kerberos ticket I am able to just ssh into any IPA unix system, but fails when 
trying to do a password lookup.

the layout of systems are as follows:

1) forest domain with no users or groups
2) child domain with all users and groups.
3) IPA Realm/Domain trusted to forest domain

All users are in a sub-OU below the top of the domain in a OU called Users.  
There are about 11K users in this OU. but lookups seam really slow.

I have added to  sssd.conf the following
1) lookup_family_order = ipv4_only
2) ignore_group_members=True
3) ldap_purge_cache_timeout=0
4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
5) debug_level=9

Could anyone help direct me to a place to start looking for why lookups are 
slow and passwords are not being allowed?
Start with https://fedorahosted.org/sssd/wiki/Troubleshooting
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to