[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

Dmitri Pal dpal at redhat.com
Tue Mar 24 15:08:07 UTC 2015 

On 03/24/2015 10:18 AM, Bobby Prins wrote:
>> ----- Oorspronkelijk bericht -----
>> Van: "Dmitri Pal" <dpal at redhat.com>
>> Aan: "Bobby Prins" <bobby.prins at proxy.nl>, "Alexander Bokovoy" <abokovoy at redhat.com>
>> Cc: freeipa-users at redhat.com
>> Verzonden: Dinsdag 24 maart 2015 14:44:42
>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>>
>> On 03/24/2015 09:01 AM, Bobby Prins wrote:
>>>> ----- Oorspronkelijk bericht -----
>>>> Van: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>> Aan: "Bobby Prins" <bobby.prins at proxy.nl>
>>>> Cc: dpal at redhat.com, freeipa-users at redhat.com
>>>> Verzonden: Maandag 23 maart 2015 16:44:47
>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>>>>
>>>> ...
>>>>
>>>> Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access
>>>> and sssd logs from IPA master (with debug_level = 10) at least in
>>>> [domain], [nss], and [pam] sections.
>>>>
>>>> You need to filter dirsrv logs by connection coming from AIX IP address
>>>> and then by conn=<number> where number is the same number as the one
>>>> with IP address line.
>>>>
>>>> When authenticating, AIX would talk to IPA LDAP server to compat tree
>>>> and slapi-nis plugin which serves compat tree would do PAM
>>>> authentication as service system-auth where SSSD on IPA master will do
>>>> the actual authentication work.
>>>>
>>>> -- 
>>>> / Alexander Bokovoy
>>> Here you can see the DS connection from AIX:
>>> [24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from 192.168.140.107 to 192.168.140.133
>>> [24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND dn="uid=bprins at example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" method=128 version=3
>>> [24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=24 dn="uid=bprins at example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp"
>>> [24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1
>>>
>>> As you can see it also takes quite some time to process the login. Could that be a problem?
>>>
>>> The SSSD log files are a bit large with debug_level set to 10 and it will take me some time to strip all customer data from it. Any log events in particular you would like to see?
>> Does the user that you use (bprins at example.corp) is a member of many
>> large groups?
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
> 53 groups in total ranging from groups with only a couple of users to groups with multiple hundreds of users.
And probably nesting is involved too, right?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list