On Fri, Jul 15, 2016 at 04:35:54PM +0000, Sullivan, Daniel [AAA] wrote:
> Jakub,
> Thank you for replying to me.  Before I forget I will say that I am still on 
> sssd 1.13 on the domain controller; I didn’t upgrade it because I haven’t had 
> any problems logging into that system yet.  That being said:
> Thank you, but did this command return "No such user” ?
> Yes.  Whenever this occurs "No such user" is the result from the id command 
> executed on the client.
> If it did, was the user cached previously (iow, was there a successfull
> lookup before) ?
> No, this is the first time the user has ever been looked up.  As far as I 
> know the user has never been successfully entered into the cache.  Similarly, 
> the user has never logged in to the IPA server via an SSSD client.

Ah, thank you, if the user has not been cached before, then it's
expected that the lookup has nothing to fall back to if the client fails
to look up information from the server.

> Here is an example of a failed lookup from a client:
> [root@cri-kcriwebgdp1 problem]# id hahsan
> id: hahsan: No such user
> The DC logs for this operation are
> NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5
> IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1

Thank you, I see that there is quite a lot of groups and the lookup
takes a bit of time. I wonder if any of the groups the user is a member
of are large?

If yes (and since moving the cache to tmpfs had helped), I wonder if
also using ignore_group_members would mitigate the issue further, like

subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0

These would go into the domain section on the server itself.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to