Hi,
I have trouble with resolving AD users from my IPA clients.
Environment: 2x IPA server with trust into AD - both IPA servers and clients
running latest rhel 7.3.
IPA domain: vs.example.com
AD domain: example.com, cen.example.com
All tstx users are in cen.example.com but their UPN is set to
tstxx...@example.com
I can run id and getent passwd commands without problem from both IPA servers:
id tst99...@example.com
uid=20018(tst99...@cen.example.com) gid=5001(csunix)
groups=5001(csunix),93008(final_test_group)
getent tst99...@example.com
tst99...@cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash
But from client:
root@trh7clnt02:~# id tst99...@example.com
id: tst99...@example.com: no such user
root@trh7clnt02:~#getent passwd tst99...@example.com
... no reply
But when I run on client:
getent group csu...@cen.example.com - it takes more then 30s
csu...@cen.example.com:*:5001: and really long list of users
Then again from client:
root@trh7clnt02:~# id tst99...@example.com
uid=20018(tst99...@cen.example.com) gid=5001(csunix) groups=5001(csunix)
root@trh7clnt02:~# getent passwd tst99...@example.com
tst99...@cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash
This time it works and it keeps working until I clean the sssd cache on client.
Then I have to run that getent group csunix command again.
I would say it is some timeout issue with enumerating csunix group. I have
tried to fix it by adding:
ldap_search_timeout = 50
into sssd.conf on both server and client(sssd restarted), but without effect.
Here is my sssd.conf from client:
[domain/vs.example.com]
debug_level = 7
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = vs.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = trh7clnt02.vs.example.com
chpass_provider = ipa
ipa_server = tidmipa01.vs.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_search_timeout = 50
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = vs.example.com
[nss]
homedir_substring = /home
debug_level = 7
[pam]
debug_level = 7
[sudo]
[autofs]
[ssh]
[pac]
debug_level = 7
[ifp]
IPA server sssd.conf:
[domain/vs.example.com]
debug_level = 7
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = vs.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = tidmipa01.vs.example.com
chpass_provider = ipa
ipa_server = tidmipa01.vs.example.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_id_mapping = False
ldap_search_timeout = 20
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = vs.example.com
[nss]
memcache_timeout = 600
debug_level = 7
homedir_substring = /home
[pam]
debug_level = 7
[sudo]
debug_level = 7
[autofs]
debug_level = 7
[ssh]
debug_level = 7
[pac]
debug_level = 7
[ifp]
debug_level = 7
Any suggestion how to fix that ? I can add logs from both successful and
unsuccessful try but they are quite long.
Thank you.
Jan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project