Hi, I have trouble with resolving AD users from my IPA clients.
Environment: 2x IPA server with trust into AD - both IPA servers and clients running latest rhel 7.3. IPA domain: vs.example.com AD domain: example.com, cen.example.com All tstxxxxx users are in cen.example.com but their UPN is set to tstxx...@example.com I can run id and getent passwd commands without problem from both IPA servers: id tst99...@example.com uid=20018(tst99...@cen.example.com) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) getent tst99...@example.com tst99...@cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash But from client: root@trh7clnt02:~# id tst99...@example.com id: tst99...@example.com: no such user root@trh7clnt02:~#getent passwd tst99...@example.com ... no reply But when I run on client: getent group csu...@cen.example.com - it takes more then 30s csu...@cen.example.com:*:5001: .... and really long list of users Then again from client: root@trh7clnt02:~# id tst99...@example.com uid=20018(tst99...@cen.example.com) gid=5001(csunix) groups=5001(csunix) root@trh7clnt02:~# getent passwd tst99...@example.com tst99...@cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash This time it works and it keeps working until I clean the sssd cache on client. Then I have to run that getent group csunix command again. I would say it is some timeout issue with enumerating csunix group. I have tried to fix it by adding: ldap_search_timeout = 50 into sssd.conf on both server and client(sssd restarted), but without effect. Here is my sssd.conf from client: [domain/vs.example.com] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = vs.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = trh7clnt02.vs.example.com chpass_provider = ipa ipa_server = tidmipa01.vs.example.com ldap_tls_cacert = /etc/ipa/ca.crt ldap_search_timeout = 50 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = vs.example.com [nss] homedir_substring = /home debug_level = 7 [pam] debug_level = 7 [sudo] [autofs] [ssh] [pac] debug_level = 7 [ifp] IPA server sssd.conf: [domain/vs.example.com] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = vs.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = tidmipa01.vs.example.com chpass_provider = ipa ipa_server = tidmipa01.vs.example.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt ldap_id_mapping = False ldap_search_timeout = 20 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = vs.example.com [nss] memcache_timeout = 600 debug_level = 7 homedir_substring = /home [pam] debug_level = 7 [sudo] debug_level = 7 [autofs] debug_level = 7 [ssh] debug_level = 7 [pac] debug_level = 7 [ifp] debug_level = 7 Any suggestion how to fix that ? I can add logs from both successful and unsuccessful try but they are quite long. Thank you. Jan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project