[Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Fri Jul 15 15:22:41 UTC 2016

On Fri, Jul 15, 2016 at 02:04:43PM +0000, Sullivan, Daniel [AAA] wrote:
> Hi,
> 
> Changing pam_id_timeout = 60 and krb5_auth_timeout = 60 on the client in conjunction with enabling tmpfs caching for /var/lib/sss/db on the DC appears to have helped significantly.  

pam_id_timeout and krb5_auth_timeout are only applied during login, not
when id is invoked. So I think the piece that helped in your environment
was the tmpfs on the server.

Still, I think there are two issues:
    1) why does the s2n operation fail at all? We should look into the
    server logs around the time the s2n operation fails to find the
    reason

    2) why doesn't sssd on the client return cached data if the s2n
    request fails? See my other mail, I'm interested if the data was
    cached from a previous lookup.