On Fri, Nov 18, 2016 at 12:09:41PM +0100, rajat gupta wrote: > Hi, > > > I removed the pam_winbind module. User are able to login now. But some time > they are not. Below are logs when user are not able to login. Also SSH
see comment at the end of the email. > login is very slow for AD user. I am using sssd 1.4 Please note that SSSD does more than a simple kinit, it will validate the returned TGT of the user by requesting a service ticket for a service form the local keytab. This requires for AD users at least one round trip to an AD DC and another one to the IPA server. If the AD user is coming from a member domain in the AD forest and not from the forest root there are even more round trips. > ============================= > rpm -qa | grep sssd > sssd-krb5-common-1.14.0-43.el7.x86_64 > python-sssdconfig-1.14.0-43.el7.noarch > sssd-ldap-1.14.0-43.el7.x86_64 > sssd-client-1.14.0-43.el7.x86_64 > sssd-ipa-1.14.0-43.el7.x86_64 > sssd-proxy-1.14.0-43.el7.x86_64 > sssd-common-1.14.0-43.el7.x86_64 > sssd-ad-1.14.0-43.el7.x86_64 > sssd-1.14.0-43.el7.x86_64 > sssd-krb5-1.14.0-43.el7.x86_64 > sssd-common-pac-1.14.0-43.el7.x86_64 > =========================== > > ===================================== > My sssd.conf on ipa clinet > > cat /etc/sssd/sssd.conf > [domain/ipa.preprod.local] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ipa.ipadomain.local > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ilt-gif-ipa02.ipa.ipadomain.local > chpass_provider = ipa > ipa_server = _srv_, ilt-gif-ipa01.ipa.ipadomain.local > ldap_tls_cacert = /etc/ipa/ca.crt > debug_level = 10 > krb5_use_enterprise_principal = True > > > > [sssd] > default_domain_suffix = corp.addomain.com > services = nss, sudo, pam, ssh > > domains = ipa.ipadomain.local > debug_level = 10 > > [nss] > override_homedir = /home/%u > debug_level = 10 > > > > [pam] > debug_level = 10 > > > [sudo] > > [autofs] > > [ssh] > debug_level = 10 > > > [pac] > > [ifp] > ============================================== > > > ... > (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [main] (0x0400): > krb5_child started. > (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [unpack_buffer] > (0x1000): total buffer size: [168] > (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1007629326] gid [1007629326] validate [true] > enterprise principal [false] offline [true] UPN [[email protected]] SSSD is in offline mode again, if the user never successfully login in with a password authentication will fail. You should check the SSSD domain log to figure out why SSSD switches into offline mode. HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
