-----Original Message-----
From: Alexander Bokovoy 
<aboko...@redhat.com<mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer 
<dfisc...@petsmart.com<mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
Cc: freeipa-users@redhat.com 
<freeipa-users@redhat.com<mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>>
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD 
Users
Date: Mon, 13 Jun 2016 12:07:29 -0700


On Mon, 13 Jun 2016, David Fischer wrote:


(Note: versions below)

All,
I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and 
found that it was timing out during ldap scan. I upped the timeout on the 'IPA 
Configuration' tab in the web interface and this solved the 'getent' issue.  
Now I am able to do 'getent' passwd on all users in a sub-ad domain

My new problem is that I am now unable to use password to login.  If I grab a 
kerberos ticket I am able to just ssh into any IPA unix system, but fails when 
trying to do a password lookup.

the layout of systems are as follows:

1) forest domain with no users or groups
2) child domain with all users and groups.
3) IPA Realm/Domain trusted to forest domain

All users are in a sub-OU below the top of the domain in a OU called Users.  
There are about 11K users in this OU. but lookups seam really slow.

I have added to  sssd.conf the following
1) lookup_family_order = ipv4_only
2) ignore_group_members=True
3) ldap_purge_cache_timeout=0
4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
5) debug_level=9

Could anyone help direct me to a place to start looking for why lookups are 
slow and passwords are not being allowed?


Start with 
http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting
<http://scanmail.trustwave.com/?c=6406&amp;d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&amp;u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting>


Alexander,

Thanks I am already running through this guild.


One of the things that is happening is I can create a user with min groups and 
that account is able to login.  So i am adding groups that other users have one 
at a time to see what affects this


________________________________
#####################################################################################
The information contained in this electronic mail message, including 
attachments, if any, is PetSmart confidential information. It is intended only 
for the use of the person(s) named above. If the reader of this message is not 
the intended recipient, or has received this message in error, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you are not the intended recipient or 
have received this message in error, please notify the sender via e-mail and 
promptly delete the original message.
#####################################################################################

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to