[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

Dmitri Pal dpal at redhat.com
Tue Mar 24 13:44:42 UTC 2015 

On 03/24/2015 09:01 AM, Bobby Prins wrote:
>> ----- Oorspronkelijk bericht -----
>> Van: "Alexander Bokovoy" <abokovoy at redhat.com>
>> Aan: "Bobby Prins" <bobby.prins at proxy.nl>
>> Cc: dpal at redhat.com, freeipa-users at redhat.com
>> Verzonden: Maandag 23 maart 2015 16:44:47
>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>>
>> ...
>>
>> Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access
>> and sssd logs from IPA master (with debug_level = 10) at least in
>> [domain], [nss], and [pam] sections.
>>
>> You need to filter dirsrv logs by connection coming from AIX IP address
>> and then by conn=<number> where number is the same number as the one
>> with IP address line.
>>
>> When authenticating, AIX would talk to IPA LDAP server to compat tree
>> and slapi-nis plugin which serves compat tree would do PAM
>> authentication as service system-auth where SSSD on IPA master will do
>> the actual authentication work.
>>
>> -- 
>> / Alexander Bokovoy
> Here you can see the DS connection from AIX:
> [24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from 192.168.140.107 to 192.168.140.133
> [24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND dn="uid=bprins at example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" method=128 version=3
> [24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=24 dn="uid=bprins at example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp"
> [24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1
>
> As you can see it also takes quite some time to process the login. Could that be a problem?
>
> The SSSD log files are a bit large with debug_level set to 10 and it will take me some time to strip all customer data from it. Any log events in particular you would like to see?
Does the user that you use (bprins at example.corp) is a member of many 
large groups?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list