Re: [Freeipa-users] Unable to resolve AD users from IPA clients
On Wed, Jan 04, 2017 at 04:19:04PM +0100, Jan Karásek wrote: > Hi, > thank you for help. > > I have tried to add > > subdomain_inherit = ignore_group_members > ignore_group_members = True > > into sssd.conf on server but problem still persists. > > >By the way, did you install 7.3 cleanly or did you upgrade? > It has been upgraded. > > >D id you ever removed the cache post-upgrade on the server? > Yes I did it couple of times both on server and client > > I find out that when client return value from id it differ from id output on > server: I'm sorry but I would need to see the whole logs to give a qualified answer, really. Could you please remove or invalidate the caches on the server and the client, then run: date; id tst99...@example.com; date and then attach or send directly to me the logs from both the server and the client so I can match the logs with the date timestamps? Feel free to obfuscate the domain, user and group names in the logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to resolve AD users from IPA clients
On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Karásek wrote: > Hi, > > I have trouble with resolving AD users from my IPA clients. > > Environment: 2x IPA server with trust into AD - both IPA servers and clients > running latest rhel 7.3. > > IPA domain: vs.example.com > AD domain: example.com, cen.example.com > > All tstx users are in cen.example.com but their UPN is set to > tstxx...@example.com > > I can run id and getent passwd commands without problem from both IPA > servers: > > id tst99...@example.com > uid=20018(tst99...@cen.example.com) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) > > getent tst99...@example.com > tst99...@cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash > > > But from client: > > root@trh7clnt02:~# id tst99...@example.com > id: tst99...@example.com: no such user > root@trh7clnt02:~#getent passwd tst99...@example.com > ... no reply > > > But when I run on client: > getent group csu...@cen.example.com - it takes more then 30s > csu...@cen.example.com:*:5001: and really long list of users > > Then again from client: > > root@trh7clnt02:~# id tst99...@example.com > uid=20018(tst99...@cen.example.com) gid=5001(csunix) groups=5001(csunix) > > root@trh7clnt02:~# getent passwd tst99...@example.com > tst99...@cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash > > > This time it works and it keeps working until I clean the sssd cache on > client. Then I have to run that getent group csunix command again. > > I would say it is some timeout issue with enumerating csunix group. I have > tried to fix it by adding: > > ldap_search_timeout = 50 I don't think this would be related to the searches timing out but probably parsing and storing the entries on the server and the client. Could you try adding this on the server side's sssd.conf? [domain/domname] subdomain_inherit = ignore_group_members ignore_group_members = True By the way, did you install 7.3 cleanly or did you upgrade? And if you upgraded, did you ever removed the cache post-upgrade on the server? There's been some improvements related to performance in 7.3 and even more are coming in 7.4. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
