[Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

[Jakub Hrozek]

On Fri, Jul 15, 2016 at 04:35:54PM +0000, Sullivan, Daniel [AAA] wrote:
> 
> Jakub,
> 
> Thank you for replying to me.  Before I forget I will say that I am still on sssd 1.13 on the domain controller; I didn’t upgrade it because I haven’t had any problems logging into that system yet.  That being said:
> 
> Thank you, but did this command return "No such user” ?
> 
> Yes.  Whenever this occurs "No such user" is the result from the id command executed on the client.
> 
> If it did, was the user cached previously (iow, was there a successfull
> lookup before) ?
> 
> No, this is the first time the user has ever been looked up.  As far as I know the user has never been successfully entered into the cache.  Similarly, the user has never logged in to the IPA server via an SSSD client.

Ah, thank you, if the user has not been cached before, then it's
expected that the lookup has nothing to fall back to if the client fails
to look up information from the server.

> 
> Here is an example of a failed lookup from a client:
> 
> [root at cri-kcriwebgdp1 problem]# id hahsan
> id: hahsan: No such user
> 
> The DC logs for this operation are
> NSS - https://gist.github.com/dsulli99/01715234efab09772e8236a13e4f4ef5
> IPA - https://gist.github.com/dsulli99/f3cc92d7c32061fd4676a83a039c31b1

Thank you, I see that there is quite a lot of groups and the lookup
takes a bit of time. I wonder if any of the groups the user is a member
of are large?

If yes (and since moving the cache to tmpfs had helped), I wonder if
also using ignore_group_members would mitigate the issue further, like
this:

subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0

These would go into the domain section on the server itself.