On Thu, Oct 03, 2019 at 10:48:40AM +0000, SOLER SANGUESA Miguel via FreeIPA-users wrote: > Hello, > > After a primary DNS server problem, I have realized that the IDM client has a > timeout of 60 s for the log in. > As the primary DNS was not working, server used the secondary DNS and it > takes 4s for resolving any name, as I use AD users, on the authentication > phase, all AD servers must be translated (9 servers) so it makes the > authentication very slow and timeout of 60 s is triggered. I have modified > the resolv.conf to make the transition to the second DNS server faster > (resolving any name takes 2s), and then authentication is done on 48s so it > works. > But what I want to know is how to modify those 60s of timeout. I have checked > the logs with debug_level = 9 and I don't see the "timeout" log. > I have also changed (on client side): > krb5_auth_timeout = 190 > pam_id_timeout = 190 > but it still have the timeout at 60s
Hi, how do you try to log in? There is LOGIN_TIMEOUT in /etc/login.defs, see man login.defs for details. HTH bye, Sumit > > the client is: > RHEL 6.10 (but I think it happens the same on RHEL 7) > sssd-client-1.13.3-60.el6_10.2.x86_64 > ipa-client-3.0.0-51.el6.x86_64 > > sssd.conf: > [domain/IPAdomain] > krb5_auth_timeout = 190 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = IPAdomain > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = CLIENT.domain.org > chpass_provider = ipa > ipa_server = _srv_, IPASERVER1, IPASERVER2 > dns_discovery_domain = IPAdomain > [sssd] > config_file_version = 2 > services = nss, sudo, pam, ssh > domains = IPAdomain > default_domain_suffix = AD.domain > [nss] > filter_groups = root > filter_users = root,iccsecure,tomcat,oracle > reconnection_retries = 3 > [pam] > reconnection_retries = 3 > pam_id_timeout = 190 > [sudo] > [ssh] > > On the Server side: > RHEL 7.6 > sssd-1.16.2-13.el7_6.8.x86_64 > ipa-server-4.6.4-10.el7_6.3.x86_64 > > sssd.conf: > [domain/IPAdomain] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = IPAdomain > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = IPASERVER1 > chpass_provider = ipa > ipa_server = IPASERVER1 > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > subdomain_homedir = %o > [sssd] > config_file_version = 2 > services = nss, sudo, pam, ssh > domains = IPAdomain > [domain/IPAdomain/ADdomain] > ldap_search_base = ou=XXX,dc=XXXX,dc=XXXXX,dc=XXX > [nss] > filter_groups = root > filter_users = root, iccsecure, tomcat, oracle > reconnection_retries = 3 > memcache_timeout = 600 > homedir_substring = /home > [pam] > reconnection_retries = 3 > [ssh] > [sudo] > > I have attached the logs, timeout is triggered at 12:21:50 > > Thanks & Regards. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
