Re: [Freeipa-users] Unable to resolve AD users from IPA clients

[Jakub Hrozek]

On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Karásek wrote:
> Hi, 
> 
> I have trouble with resolving AD users from my IPA clients. 
> 
> Environment: 2x IPA server with trust into AD - both IPA servers and clients 
> running latest rhel 7.3. 
> 
> IPA domain: vs.example.com 
> AD domain: example.com, cen.example.com 
> 
> All tstx users are in cen.example.com but their UPN is set to 
> tstxx...@example.com 
> 
> I can run id and getent passwd commands without problem from both IPA 
> servers: 
> 
> id tst99...@example.com 
> uid=20018(tst99...@cen.example.com) gid=5001(csunix) 
> groups=5001(csunix),93008(final_test_group) 
> 
> getent tst99...@example.com 
> tst99...@cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash
>  
> 
> But from client: 
> 
> root@trh7clnt02:~# id tst99...@example.com 
> id: tst99...@example.com: no such user 
> root@trh7clnt02:~#getent passwd tst99...@example.com 
> ... no reply 
> 
> 
> But when I run on client: 
> getent group csu...@cen.example.com - it takes more then 30s 
> csu...@cen.example.com:*:5001:  and really long list of users 
> 
> Then again from client: 
> 
> root@trh7clnt02:~# id tst99...@example.com 
> uid=20018(tst99...@cen.example.com) gid=5001(csunix) groups=5001(csunix) 
> 
> root@trh7clnt02:~# getent passwd tst99...@example.com 
> tst99...@cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash
>  
> 
> This time it works and it keeps working until I clean the sssd cache on 
> client. Then I have to run that getent group csunix command again. 
> 
> I would say it is some timeout issue with enumerating csunix group. I have 
> tried to fix it by adding: 
> 
> ldap_search_timeout = 50 

I don't think this would be related to the searches timing out but
probably parsing and storing the entries on the server and the client.

Could you try adding this on the server side's sssd.conf?

[domain/domname]
subdomain_inherit = ignore_group_members
ignore_group_members = True

By the way, did you install 7.3 cleanly or did you upgrade? And if you
upgraded, did you ever removed the cache post-upgrade on the server?

There's been some improvements related to performance in 7.3 and even
more are coming in 7.4.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to resolve AD users from IPA clients

[Jan Karásek]

Hi, 

I have trouble with resolving AD users from my IPA clients. 

Environment: 2x IPA server with trust into AD - both IPA servers and clients 
running latest rhel 7.3. 

IPA domain: vs.example.com 
AD domain: example.com, cen.example.com 

All tstx users are in cen.example.com but their UPN is set to 
tstxx...@example.com 

I can run id and getent passwd commands without problem from both IPA servers: 

id tst99...@example.com 
uid=20018(tst99...@cen.example.com) gid=5001(csunix) 
groups=5001(csunix),93008(final_test_group) 

getent tst99...@example.com 
tst99...@cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash
 

But from client: 

root@trh7clnt02:~# id tst99...@example.com 
id: tst99...@example.com: no such user 
root@trh7clnt02:~#getent passwd tst99...@example.com 
... no reply 


But when I run on client: 
getent group csu...@cen.example.com - it takes more then 30s 
csu...@cen.example.com:*:5001:  and really long list of users 

Then again from client: 

root@trh7clnt02:~# id tst99...@example.com 
uid=20018(tst99...@cen.example.com) gid=5001(csunix) groups=5001(csunix) 

root@trh7clnt02:~# getent passwd tst99...@example.com 
tst99...@cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash
 

This time it works and it keeps working until I clean the sssd cache on client. 
Then I have to run that getent group csunix command again. 

I would say it is some timeout issue with enumerating csunix group. I have 
tried to fix it by adding: 

ldap_search_timeout = 50 

into sssd.conf on both server and client(sssd restarted), but without effect. 
Here is my sssd.conf from client: 

[domain/vs.example.com] 
debug_level = 7 
cache_credentials = True 
krb5_store_password_if_offline = True 
ipa_domain = vs.example.com 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ipa_hostname = trh7clnt02.vs.example.com 
chpass_provider = ipa 
ipa_server = tidmipa01.vs.example.com 
ldap_tls_cacert = /etc/ipa/ca.crt 
ldap_search_timeout = 50 

[sssd] 
services = nss, sudo, pam, ssh 
config_file_version = 2 
domains = vs.example.com 
[nss] 
homedir_substring = /home 
debug_level = 7 
[pam] 
debug_level = 7 
[sudo] 
[autofs] 
[ssh] 
[pac] 
debug_level = 7 
[ifp] 

IPA server sssd.conf: 

[domain/vs.example.com] 
debug_level = 7 
cache_credentials = True 
krb5_store_password_if_offline = True 
ipa_domain = vs.example.com 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ipa_hostname = tidmipa01.vs.example.com 
chpass_provider = ipa 
ipa_server = tidmipa01.vs.example.com 
ipa_server_mode = True 
ldap_tls_cacert = /etc/ipa/ca.crt 
ldap_id_mapping = False 
ldap_search_timeout = 20 
[sssd] 
services = nss, sudo, pam, ssh 
config_file_version = 2 
domains = vs.example.com 
[nss] 
memcache_timeout = 600 
debug_level = 7 
homedir_substring = /home 
[pam] 
debug_level = 7 
[sudo] 
debug_level = 7 
[autofs] 
debug_level = 7 
[ssh] 
debug_level = 7 
[pac] 
debug_level = 7 
[ifp] 
debug_level = 7 

Any suggestion how to fix that ? I can add logs from both successful and 
unsuccessful try but they are quite long. 

Thank you. 
Jan 




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project