[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

Alexander Bokovoy abokovoy at redhat.com
Fri Apr 3 10:45:07 UTC 2015 

On Fri, 03 Apr 2015, Bobby Prins wrote:
>>> On Mar 24, 2015, at 17:11, Dmitri Pal <dpal at redhat.com> wrote:
>>>
>>> Seems like 15 sec timeout on the AIX side.
>>> Can you try with a user that does not have that many groups and see if that works?
>>> If it does then we should assume it is an AIX side timeout and focus on making sure the data gets over to IPA within this timeout.
>>I need to do some more testing.. Did not have a lot of time today, but I tried to authenticate with an AD user against the compact tree using a Linux client with pam_ldap. I was able to log in but this would take up to a minute or so. I’m still waiting for my AD test account with lesser group memberships.
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>So I finally found some time to do extra tests. I now have an AD
>account with lesser group memberships which seems to speed up the login
>process (with Linux LDAP auth against the compat tree), but still no
>success on AIX. Did some more digging and it looks like AIX invalidates
>the user before it even is authenticated. The output below shows the
>lookup that is performed after I enter the username en press enter
>(before entering the password).
>
>access:
>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133
>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3
>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL
>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0
>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0
Above there are two lookups:

- successful lookup for user bprings at example.com
- unsuccessful lookup for user bprins

What is causing to perform a lookup without @example.com? Compat tree
presents AD users fully qualified, it is the only way it knows to
trigger lookup via SSSD on IPA master for these users (because non-fully
qualified users are in IPA LDAP tree already and copied to compat tree
automatically).
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list