On Fri, Nov 18, 2016 at 12:09:41PM +0100, rajat gupta wrote:
> Hi,
> 
> 
> I removed the pam_winbind module. User are able to login now. But some time
> they are not. Below are logs when user are not able to login.  Also SSH

see comment at the end of the email.

> login  is very slow for AD user. I am using sssd 1.4

Please note that SSSD does more than a simple kinit, it will validate
the returned TGT of the user by requesting a service ticket for a
service form the local keytab. This requires for AD users at least one
round trip to an AD DC and another one to the IPA server. If the AD user
is coming from a member domain in the AD forest and not from the forest
root there are even more round trips. 


> =============================
> rpm -qa | grep sssd
> sssd-krb5-common-1.14.0-43.el7.x86_64
> python-sssdconfig-1.14.0-43.el7.noarch
> sssd-ldap-1.14.0-43.el7.x86_64
> sssd-client-1.14.0-43.el7.x86_64
> sssd-ipa-1.14.0-43.el7.x86_64
> sssd-proxy-1.14.0-43.el7.x86_64
> sssd-common-1.14.0-43.el7.x86_64
> sssd-ad-1.14.0-43.el7.x86_64
> sssd-1.14.0-43.el7.x86_64
> sssd-krb5-1.14.0-43.el7.x86_64
> sssd-common-pac-1.14.0-43.el7.x86_64
> ===========================
> 
> =====================================
> My sssd.conf on ipa clinet
> 
> cat /etc/sssd/sssd.conf
> [domain/ipa.preprod.local]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.ipadomain.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ilt-gif-ipa02.ipa.ipadomain.local
> chpass_provider = ipa
> ipa_server = _srv_, ilt-gif-ipa01.ipa.ipadomain.local
> ldap_tls_cacert = /etc/ipa/ca.crt
> debug_level = 10
> krb5_use_enterprise_principal = True
> 
> 
> 
> [sssd]
> default_domain_suffix = corp.addomain.com
> services = nss, sudo, pam, ssh
> 
> domains = ipa.ipadomain.local
> debug_level = 10
> 
> [nss]
> override_homedir = /home/%u
> debug_level = 10
> 
> 
> 
> [pam]
> debug_level = 10
> 
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> debug_level = 10
> 
> 
> [pac]
> 
> [ifp]
> ==============================================
> 
> 
> 
...
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [main] (0x0400):
> krb5_child started.
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [unpack_buffer]
> (0x1000): total buffer size: [168]
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1007629326] gid [1007629326] validate [true]
> enterprise principal [false] offline [true] UPN [subarancha...@mydomaon.com]

SSSD is in offline mode again, if the user never successfully login in
with a password authentication will fail. You should check the SSSD
domain log to figure out why SSSD switches into offline mode.

HTH

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to