On Mon, 13 Jun 2016, David Fischer wrote:
(Note: versions below)
I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and
found that it was timing out during ldap scan. I upped the timeout on the 'IPA
Configuration' tab in the web interface and this solved the 'getent' issue.
Now I am able to do 'getent' passwd on all users in a sub-ad domain
My new problem is that I am now unable to use password to login. If I grab a
kerberos ticket I am able to just ssh into any IPA unix system, but fails when
trying to do a password lookup.
the layout of systems are as follows:
1) forest domain with no users or groups
2) child domain with all users and groups.
3) IPA Realm/Domain trusted to forest domain
All users are in a sub-OU below the top of the domain in a OU called Users.
There are about 11K users in this OU. but lookups seam really slow.
I have added to sssd.conf the following
1) lookup_family_order = ipv4_only
4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
Could anyone help direct me to a place to start looking for why lookups are
slow and passwords are not being allowed?
Start with https://fedorahosted.org/sssd/wiki/Troubleshooting
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project