On Sun, Feb 05, 2017 at 03:17:28AM -0000, [email protected] wrote:
> Hi,
>
> I'm in an environment with several AD sites, each with a DC. When remote
> sites' DCs are unreachable because of a VPN outage, I'm not able to complete
> password authentication with sudo.
>
> Does sssd_krb5_locator_plugin.so work with sssd-ad?
Yes, it should.
> Do I need to put anything in krb5.conf to activate it?
No, should be automatic. Does the file the locator plugin writes
(/var/lib/sss/pubconf/kdcinfo.$REALM contain an address from the right
DC?
> I can see ldap_child is trying to connect on port 88 to all the wrong DCs
> when I enter a password in sudo. In the logs I see "[krb5_auth_done]
> (0x0100): Backend is marked offline, retry later!".
>
> I'm using sss_ssh_authorizedkeys to log in, so password authentication isn't
> involved until I sudo. To get this far I had to set dns_resolver_timeout = 30
> under [domain/mydomain] in sssd.conf. Before that, AD site discovery was
> failing; it would look up the DCs, time out after 6 seconds connecting to one
> of the remote DCs by LDAP, and mark the domain as offline.
>
> I also had to set ad_gpo_access_control = disabled; gpo_child was trying to
> connect to the wrong DCs on port 88.
I have two more questions:
1) does this still happen if you try to pin the client to the
correct site with ad_site?
2) are you sure the slowdown is because of Kerberos? iow, is kinit
also slow? (because of the locator plugin, kinit should use the same
server as sssd..)
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
