Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
-Original Message- From: Alexander Bokovoy mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>> Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Fri, 17 Jun 2016 05:02:59 -0700 On Thu, 16 Jun 2016, David Fischer wrote: Alexander, Ok I figured most of my issues were ldap search time out and also ldap_idmap_range_size was to small. Good. So I am left with one last problem is that any new users can login via password but existing users passwords do not work but kerberos tickets do. So is there another setting I am missing. getent and id -a both work fine and there are no HBAC. Any thought would be helpfull. New users where? In Active Directory or in IPA? In case of authentication checks you need to look at the SSSD domain log together with the pam log and krb5_child log. Sorry, Yes all accounts will live in AD. So any users that I have created in AD after Trust is create I am able to login as, any accounts be fore give password failure. Thanks -Original Message- From: Alexander Bokovoy mailto:aboko...@redhat.com><mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer mailto:dfisc...@petsmart.com><mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> mailto:freeipa-users@redhat.com><mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com<mailto:%22%20%3cfreeipa-us...@redhat.com>%3e>> Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Tue, 14 Jun 2016 23:52:36 -0700 On Tue, 14 Jun 2016, David Fischer wrote: Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsDSsbiAmg&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f That article is what Jakub and I wrote. Jakub may have more suggestions and there are some improvements in recent SSSD releases in RHEL 7.2.4. # The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. # -- Manage your subscription for the Freeipa-users mailing list: http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsXftLjezA&u=https%3a%2f%2fwww%2eredhat%2ecom%2fmailman%2flistinfo%2ffreeipa-users Go to http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OpOBsbSAyQ&u=http%3a%2f%2ffreeipa%2eorg for more info on the project # The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. # -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
On Thu, 16 Jun 2016, David Fischer wrote: Alexander, Ok I figured most of my issues were ldap search time out and also ldap_idmap_range_size was to small. Good. So I am left with one last problem is that any new users can login via password but existing users passwords do not work but kerberos tickets do. So is there another setting I am missing. getent and id -a both work fine and there are no HBAC. Any thought would be helpfull. New users where? In Active Directory or in IPA? In case of authentication checks you need to look at the SSSD domain log together with the pam log and krb5_child log. Thanks -Original Message- From: Alexander Bokovoy mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>> Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Tue, 14 Jun 2016 23:52:36 -0700 On Tue, 14 Jun 2016, David Fischer wrote: Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: http://scanmail.trustwave.com/?c=6406&d=t_vg1_n-LHIZctaFe8SPSnNlXH2FMlsMdw7rWgmT1Q&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f That article is what Jakub and I wrote. Jakub may have more suggestions and there are some improvements in recent SSSD releases in RHEL 7.2.4. # The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. # -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
Alexander, Ok I figured most of my issues were ldap search time out and also ldap_idmap_range_size was to small. So I am left with one last problem is that any new users can login via password but existing users passwords do not work but kerberos tickets do. So is there another setting I am missing. getent and id -a both work fine and there are no HBAC. Any thought would be helpfull. Thanks -Original Message- From: Alexander Bokovoy mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>> Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Tue, 14 Jun 2016 23:52:36 -0700 On Tue, 14 Jun 2016, David Fischer wrote: Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: http://scanmail.trustwave.com/?c=6406&d=t_vg1_n-LHIZctaFe8SPSnNlXH2FMlsMdw7rWgmT1Q&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f That article is what Jakub and I wrote. Jakub may have more suggestions and there are some improvements in recent SSSD releases in RHEL 7.2.4. # The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. # -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
On Tue, 14 Jun 2016, David Fischer wrote: Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ That article is what Jakub and I wrote. Jakub may have more suggestions and there are some improvements in recent SSSD releases in RHEL 7.2.4. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, June 14, 2016 1:03 PM To: David Fischer Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users On Tue, 14 Jun 2016, David Fischer wrote: >Alexander, >One of the things I am seeing is that our AD has groups that are 5 deep >and IPA is not able to enumerate all the groups Is there away to help >IPA in search depth or scope? SSSD should be able to handle that. If not, show the logs that demonstrate specific issues with a model group. -- / Alexander Bokovoy # The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. # -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
On Tue, 14 Jun 2016, David Fischer wrote: Alexander, One of the things I am seeing is that our AD has groups that are 5 deep and IPA is not able to enumerate all the groups Is there away to help IPA in search depth or scope? SSSD should be able to handle that. If not, show the logs that demonstrate specific issues with a model group. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
Alexander, One of the things I am seeing is that our AD has groups that are 5 deep and IPA is not able to enumerate all the groups Is there away to help IPA in search depth or scope? -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Monday, June 13, 2016 12:07 PM To: David Fischer Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users On Mon, 13 Jun 2016, David Fischer wrote: >(Note: versions below) > >All, >I am getting password failures for accounts coming from a sub-ad domain. >I originally was not able to do 'getent' lookups of random users or groups and >found that it was timing out during ldap scan. I upped the timeout on the 'IPA >Configuration' tab in the web interface and this solved the 'getent' issue. >Now I am able to do 'getent' passwd on all users in a sub-ad domain > >My new problem is that I am now unable to use password to login. If I grab a >kerberos ticket I am able to just ssh into any IPA unix system, but fails when >trying to do a password lookup. > >the layout of systems are as follows: > >1) forest domain with no users or groups >2) child domain with all users and groups. >3) IPA Realm/Domain trusted to forest domain > >All users are in a sub-OU below the top of the domain in a OU called Users. >There are about 11K users in this OU. but lookups seam really slow. > >I have added to sssd.conf the following >1) lookup_family_order = ipv4_only >2) ignore_group_members=True >3) ldap_purge_cache_timeout=0 >4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout >5) debug_level=9 > >Could anyone help direct me to a place to start looking for why lookups are >slow and passwords are not being allowed? Start with http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting -- / Alexander Bokovoy # The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. # -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
-Original Message- From: Alexander Bokovoy mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>> Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Mon, 13 Jun 2016 12:07:29 -0700 On Mon, 13 Jun 2016, David Fischer wrote: (Note: versions below) All, I am getting password failures for accounts coming from a sub-ad domain. I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue. Now I am able to do 'getent' passwd on all users in a sub-ad domain My new problem is that I am now unable to use password to login. If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup. the layout of systems are as follows: 1) forest domain with no users or groups 2) child domain with all users and groups. 3) IPA Realm/Domain trusted to forest domain All users are in a sub-OU below the top of the domain in a OU called Users. There are about 11K users in this OU. but lookups seam really slow. I have added to sssd.conf the following 1) lookup_family_order = ipv4_only 2) ignore_group_members=True 3) ldap_purge_cache_timeout=0 4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout 5) debug_level=9 Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed? Start with http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting <http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting> Alexander, Thanks I am already running through this guild. One of the things that is happening is I can create a user with min groups and that account is able to login. So i am adding groups that other users have one at a time to see what affects this # The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. # -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
On Mon, 13 Jun 2016, David Fischer wrote: (Note: versions below) All, I am getting password failures for accounts coming from a sub-ad domain. I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue. Now I am able to do 'getent' passwd on all users in a sub-ad domain My new problem is that I am now unable to use password to login. If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup. the layout of systems are as follows: 1) forest domain with no users or groups 2) child domain with all users and groups. 3) IPA Realm/Domain trusted to forest domain All users are in a sub-OU below the top of the domain in a OU called Users. There are about 11K users in this OU. but lookups seam really slow. I have added to sssd.conf the following 1) lookup_family_order = ipv4_only 2) ignore_group_members=True 3) ldap_purge_cache_timeout=0 4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout 5) debug_level=9 Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed? Start with https://fedorahosted.org/sssd/wiki/Troubleshooting -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA - Password time outs / failures on trusted AD Users
(Note: versions below) All, I am getting password failures for accounts coming from a sub-ad domain. I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue. Now I am able to do 'getent' passwd on all users in a sub-ad domain My new problem is that I am now unable to use password to login. If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup. the layout of systems are as follows: 1) forest domain with no users or groups 2) child domain with all users and groups. 3) IPA Realm/Domain trusted to forest domain All users are in a sub-OU below the top of the domain in a OU called Users. There are about 11K users in this OU. but lookups seam really slow. I have added to sssd.conf the following 1) lookup_family_order = ipv4_only 2) ignore_group_members=True 3) ldap_purge_cache_timeout=0 4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout 5) debug_level=9 Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed? Thanks, # The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. # -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
