On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Karásek wrote:
> Hi, 
> 
> I have trouble with resolving AD users from my IPA clients. 
> 
> Environment: 2x IPA server with trust into AD - both IPA servers and clients 
> running latest rhel 7.3. 
> 
> IPA domain: vs.example.com 
> AD domain: example.com, cen.example.com 
> 
> All tstxxxxx users are in cen.example.com but their UPN is set to 
> tstxx...@example.com 
> 
> I can run id and getent passwd commands without problem from both IPA 
> servers: 
> 
> id tst99...@example.com 
> uid=20018(tst99...@cen.example.com) gid=5001(csunix) 
> groups=5001(csunix),930000008(final_test_group) 
> 
> getent tst99...@example.com 
> tst99...@cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash
>  
> 
> But from client: 
> 
> root@trh7clnt02:~# id tst99...@example.com 
> id: tst99...@example.com: no such user 
> root@trh7clnt02:~#getent passwd tst99...@example.com 
> ... no reply 
> 
> 
> But when I run on client: 
> getent group csu...@cen.example.com - it takes more then 30s 
> csu...@cen.example.com:*:5001: .... and really long list of users 
> 
> Then again from client: 
> 
> root@trh7clnt02:~# id tst99...@example.com 
> uid=20018(tst99...@cen.example.com) gid=5001(csunix) groups=5001(csunix) 
> 
> root@trh7clnt02:~# getent passwd tst99...@example.com 
> tst99...@cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash
>  
> 
> This time it works and it keeps working until I clean the sssd cache on 
> client. Then I have to run that getent group csunix command again. 
> 
> I would say it is some timeout issue with enumerating csunix group. I have 
> tried to fix it by adding: 
> 
> ldap_search_timeout = 50 

I don't think this would be related to the searches timing out but
probably parsing and storing the entries on the server and the client.

Could you try adding this on the server side's sssd.conf?

[domain/domname]
subdomain_inherit = ignore_group_members
ignore_group_members = True

By the way, did you install 7.3 cleanly or did you upgrade? And if you
upgraded, did you ever removed the cache post-upgrade on the server?

There's been some improvements related to performance in 7.3 and even
more are coming in 7.4.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to