[Freeipa-users] IPA - Password time outs / failures on trusted AD Users

[Alexander Bokovoy]

On Mon, 13 Jun 2016, David Fischer wrote:
>(Note: versions below)
>
>All,
>I am getting password failures for accounts coming from a sub-ad domain.
>I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue.  Now I am able to do 'getent' passwd on all users in a sub-ad domain
>
>My new problem is that I am now unable to use password to login.  If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup.
>
>the layout of systems are as follows:
>
>1) forest domain with no users or groups
>2) child domain with all users and groups.
>3) IPA Realm/Domain trusted to forest domain
>
>All users are in a sub-OU below the top of the domain in a OU called Users.  There are about 11K users in this OU. but lookups seam really slow.
>
>I have added to  sssd.conf the following
>1) lookup_family_order = ipv4_only
>2) ignore_group_members=True
>3) ldap_purge_cache_timeout=0
>4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
>5) debug_level=9
>
>Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed?
Start with https://fedorahosted.org/sssd/wiki/Troubleshooting
-- 
/ Alexander Bokovoy