[Freeipa-users] IPA - Password time outs / failures on trusted AD Users
David Fischer
DFischer at PetSmart.com
Tue Jun 14 18:22:48 UTC 2016
Alexander,
One of the things I am seeing is that our AD has groups that are 5 deep and IPA is not able to enumerate all the groups Is there away to help IPA in search depth or scope?
-----Original Message-----
From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
Sent: Monday, June 13, 2016 12:07 PM
To: David Fischer
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
On Mon, 13 Jun 2016, David Fischer wrote:
>(Note: versions below)
>
>All,
>I am getting password failures for accounts coming from a sub-ad domain.
>I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue. Now I am able to do 'getent' passwd on all users in a sub-ad domain
>
>My new problem is that I am now unable to use password to login. If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup.
>
>the layout of systems are as follows:
>
>1) forest domain with no users or groups
>2) child domain with all users and groups.
>3) IPA Realm/Domain trusted to forest domain
>
>All users are in a sub-OU below the top of the domain in a OU called Users. There are about 11K users in this OU. but lookups seam really slow.
>
>I have added to sssd.conf the following
>1) lookup_family_order = ipv4_only
>2) ignore_group_members=True
>3) ldap_purge_cache_timeout=0
>4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
>5) debug_level=9
>
>Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed?
Start with http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting
--
/ Alexander Bokovoy
#####################################################################################
The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message.
#####################################################################################
More information about the Freeipa-users
mailing list