[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
Alexander Bokovoy
abokovoy at redhat.com
Fri Apr 3 12:26:17 UTC 2015
On Fri, 03 Apr 2015, Bobby Prins wrote:
>>----- Oorspronkelijk bericht -----
>>Van: "Alexander Bokovoy" <abokovoy at redhat.com>
>>Aan: "Bobby Prins" <bobby.prins at proxy.nl>
>>Cc: dpal at redhat.com, freeipa-users at redhat.com
>>Verzonden: Vrijdag 3 april 2015 12:45:07
>>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>>
>>On Fri, 03 Apr 2015, Bobby Prins wrote:
>>>>> On Mar 24, 2015, at 17:11, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>
>>>>> Seems like 15 sec timeout on the AIX side.
>>>>> Can you try with a user that does not have that many groups and see if that works?
>>>>> If it does then we should assume it is an AIX side timeout and focus on making sure the data gets over to IPA within this timeout.
>>>>I need to do some more testing.. Did not have a lot of time today, but I tried to authenticate with an AD user against the compact tree using a Linux client with pam_ldap. I was able to log in but this would take up to a minute or so. I’m still waiting for my AD test account with lesser group memberships.
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager IdM portfolio
>>>>> Red Hat, Inc.
>>>>>
>>>So I finally found some time to do extra tests. I now have an AD
>>>account with lesser group memberships which seems to speed up the login
>>>process (with Linux LDAP auth against the compat tree), but still no
>>>success on AIX. Did some more digging and it looks like AIX invalidates
>>>the user before it even is authenticated. The output below shows the
>>>lookup that is performed after I enter the username en press enter
>>>(before entering the password).
>>>
>>>access:
>>>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133
>>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3
>>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL
>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0
>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL
>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0
>>Above there are two lookups:
>>
>>- successful lookup for user bprings at example.com
>>- unsuccessful lookup for user bprins
>>
>>What is causing to perform a lookup without @example.com? Compat tree
>>presents AD users fully qualified, it is the only way it knows to
>>trigger lookup via SSSD on IPA master for these users (because non-fully
>>qualified users are in IPA LDAP tree already and copied to compat tree
>>automatically).
>This seems to be (standard?) behaviour of the AIX LDAP client. Did some
>more tests with different accounts and always see the two lookups. I
>doubt if I can influence that..
No, this is not standard -- I haven't seen such behavior when testing
FreeIPA with AIX last autumn.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list