[Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
Bobby Prins
bobby.prins at proxy.nl
Tue Mar 24 15:23:40 UTC 2015
>----- Oorspronkelijk bericht -----
>Van: "Dmitri Pal" <dpal at redhat.com>
>Aan: "Bobby Prins" <bobby.prins at proxy.nl>
>Cc: "Alexander Bokovoy" <abokovoy at redhat.com>, freeipa-users at redhat.com
>Verzonden: Dinsdag 24 maart 2015 16:08:07
>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>
>On 03/24/2015 10:18 AM, Bobby Prins wrote:
>>> ----- Oorspronkelijk bericht -----
>>> Van: "Dmitri Pal" <dpal at redhat.com>
>>> Aan: "Bobby Prins" <bobby.prins at proxy.nl>, "Alexander Bokovoy" <abokovoy at redhat.com>
>>> Cc: freeipa-users at redhat.com
>>> Verzonden: Dinsdag 24 maart 2015 14:44:42
>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>>>
>>> On 03/24/2015 09:01 AM, Bobby Prins wrote:
>>>>> ----- Oorspronkelijk bericht -----
>>>>> Van: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>>> Aan: "Bobby Prins" <bobby.prins at proxy.nl>
>>>>> Cc: dpal at redhat.com, freeipa-users at redhat.com
>>>>> Verzonden: Maandag 23 maart 2015 16:44:47
>>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
>>>>>
>>>>> ...
>>>>>
>>>>> Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access
>>>>> and sssd logs from IPA master (with debug_level = 10) at least in
>>>>> [domain], [nss], and [pam] sections.
>>>>>
>>>>> You need to filter dirsrv logs by connection coming from AIX IP address
>>>>> and then by conn=<number> where number is the same number as the one
>>>>> with IP address line.
>>>>>
>>>>> When authenticating, AIX would talk to IPA LDAP server to compat tree
>>>>> and slapi-nis plugin which serves compat tree would do PAM
>>>>> authentication as service system-auth where SSSD on IPA master will do
>>>>> the actual authentication work.
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>> Here you can see the DS connection from AIX:
>>>> [24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from 192.168.140.107 to 192.168.140.133
>>>> [24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND dn="uid=bprins at example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" method=128 version=3
>>>> [24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=24 dn="uid=bprins at example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp"
>>>> [24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1
>>>>
>>>> As you can see it also takes quite some time to process the login. Could that be a problem?
>>>>
>>>> The SSSD log files are a bit large with debug_level set to 10 and it will take me some time to strip all customer data from it. Any log events in particular you would like to see?
>>> Does the user that you use (bprins at example.corp) is a member of many
>>> large groups?
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>> 53 groups in total ranging from groups with only a couple of users to groups with multiple hundreds of users.
>And probably nesting is involved too, right?
>
>--
>Thank you,
>Dmitri Pal
>
>Sr. Engineering Manager IdM portfolio
>Red Hat, Inc.
Yes, that is correct, but the 53 groups is including nested memberships.
More information about the Freeipa-users
mailing list