Thanks for the reply,
I have tried using the options timeout:2 which seems to be not taking any
effect, as the SSH logins are still taking 10 seconds, ( 5 seconds timeout
* 2 attempts) ./etc/resolv.conf file.
I looked into the timeouts link, and i have SSSD version 1.16.2-13
installed on my machine. The only timeouts that are matching
are dns_resolver_op_timeout and dns_resolver_timeout out of the four
mentioned in the link.
The following is showing up on the man page of sssd-ad on my machine.
"
dns_resolver_op_timeout
How long would SSSD talk to a single DNS server.
dns_resolver_op_timeout
How long would SSSD try to resolve a failover service. This
service resolution internally might include several steps, such as
resolving DNS SRV queries or locating the site.
"
So what are default values they are set to right now in my verison, how can
I find out? Are the default values for dns_resolver_op_timeout and
dns_resolver_op_timeout respectively.set to 2 and 4 seconds respectively?
Should I increase or lower values, I don't want it timeout early.
Are there any other ways to solve this problem?
Thank you
Abhishek Deb
On Fri, Oct 18, 2019 at 3:08 AM Sumit Bose <[email protected]> wrote:
> On Thu, Oct 17, 2019 at 04:23:11PM -0400, Abhisheyk Deb wrote:
> > Hi.
> >
> > We have the following setup, CentOS machines which are running 7.3
> version
> > and we want them to use active directory users for SSH Logins.
> >
> > The domain ad.example.com which we want to use, has two domain
> controllers
> > with IP addresses of 10.1.2.1 and 10.1.2.2, and both have DNS Servers
> > installed on them.
> >
> > We have the following in the /etc/resolv.conf
> >
> > search ad.example.com
> > nameserver 10.1.2.1
> > nameserver 10.1.2.2
> >
> > We were able to do a join by using the following command:
> > realm join ad.example.com
> >
> > The computer objects are getting created in both domain controllers.
> >
> > The SSH Logins for the active directory users are also working without
> any
> > issues.
> >
> > The /etc/sssd/sssd.conf file is as follows:
> > [sssd]
> > domains = ad.example.com
> > config_file_version = 2
> > services = nss, pam
> >
> > [pam]
> > offline_credentials_expiration = 1
> >
> > [domain/ad.example.com]
> > ad_domain = ad.example.com
> > krb5_realm = ad.example.com
> > realmd_tags = manages-system joined-with-samba
> > cache_credentials = True
> > id_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = True
> > use_fully_qualified_names = False
> > access_provider = ad
> > override_homedir = /user/%u
> > account_cache_expiration = 1
> > entry_cache_timeout = 180
> >
> > But when we put the first domain controller down (10.1.2.1) which is the
> > first nameserver in /etc/resolv.conf. SSSD is not trying the second
> domain
> > controller (10.1.2.2) at all because when we login, we see the following
> > message
> >
> > "Authenticated with cached credentials, your cached password will expire
> > at: Fri Oct 18 19:47:42 2019."
> >
> > And we are able to ping 10.1.2.2 and the command
> > nslookup ad.example.com also gives the following output
> >
> > Server: 10.1.2.2
> > Address: 10.1.2.2#53
> >
> > Name: ad.example.com
> > Address: 10.1.2.1
> > Name: ad.example.com
> > Address: 10.1.2.2
> >
> > And we have not added any option for ad_server or ad_backup_server in our
> > sssd.conf file which I am assuming means that autodiscovery is turned on
> by
> > default.
> >
> > So should the /etc/resolv.conf only have one nameserver entry, and SSSD
> > only reads that, which means the main domain controller needs to running
> > always.
> >
> > What I mainly want to know is that even if one of the Domain Controllers
> > are down and SSSD was using it as the primary domain controller for
> > authentication requests, can it not fallback to using some other domain
> > controllers in the AD Domain.
> >
> > How can tweak my sssd.conf file for the use case that I want.
>
> Hi,
>
> there are various timeouts involved here and in your version of SSSD they
> might not be well aligned.
>
> What oyu can try as a first step is to lower the timeout in
> /etc/resolv.conf to e.g. 2s with
>
> options timeout:2
>
> (I hope SSSD's resolve will pick this value as well). The default here
> is 5s and many of the LDAP related timeouts SSSD is using are 6s. So it
> might be that waiting for a DNS reply just takes too long so the SSSD
> already switches to the offline mode before the second server can be
> tried.
>
> For a discussion about the involved SSSD timeouts see
> https://github.com/SSSD/sssd/pull/636. Please note that not all options
> might be available in sour version of SSSD.
>
> bye,
> Sumit
>
> >
> > If somebody can give me some advice on this, it would be really helpful,
> >
> > Thank you
> > Abhishek Deb
>
> > _______________________________________________
> > sssd-users mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
