[Freeipa-users] IPA - Password time outs / failures on trusted AD Users

David Fischer DFischer at PetSmart.com
Fri Jun 17 13:26:14 UTC 2016 


-----Original Message-----
From: Alexander Bokovoy <abokovoy at redhat.com<mailto:Alexander%20Bokovoy%20%3cabokovoy at redhat.com%3e>>
To: David Fischer <DFischer at PetSmart.com<mailto:David%20Fischer%20%3cDFischer at PetSmart.com%3e>>
Cc: freeipa-users at redhat.com <freeipa-users at redhat.com<mailto:%22freeipa-users at redhat.com%22%20%3cfreeipa-users at redhat.com%3e>>
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
Date: Fri, 17 Jun 2016 05:02:59 -0700


On Thu, 16 Jun 2016, David Fischer wrote:


Alexander,

Ok I figured most of my issues were ldap search time out and also
ldap_idmap_range_size was to small.


Good.



So I am left with one last problem is that any new users can login via
password but existing users passwords do not work but kerberos tickets
do.  So is there another setting I am missing. getent and id -a both
work fine and there are no HBAC.  Any thought would be helpfull.


New users where? In Active Directory or in IPA? In case of
authentication checks you need to look at the SSSD domain log together
with the pam log and krb5_child log.



Sorry, Yes all accounts will live in AD.

So any users that I have created in AD after Trust is create I am able to login as, any accounts be fore give password failure.







Thanks

-----Original Message-----
From: Alexander Bokovoy <abokovoy at redhat.com<mailto:abokovoy at redhat.com><mailto:Alexander%20Bokovoy%20%3cabokovoy at redhat.com%3e>>
To: David Fischer <DFischer at PetSmart.com<mailto:DFischer at PetSmart.com><mailto:David%20Fischer%20%3cDFischer at PetSmart.com%3e>>
Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com> <freeipa-users at redhat.com<mailto:freeipa-users at redhat.com><mailto:%22freeipa-users at redhat.com%22%20%3cfreeipa-users at redhat.com<mailto:%22%20%3cfreeipa-users at redhat.com>%3e>>
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users
Date: Tue, 14 Jun 2016 23:52:36 -0700


On Tue, 14 Jun 2016, David Fischer wrote:


Alexander,

I am getting the windows admin to refresh our DR AD setup and I should
be able to give you an idea on some of our groups layouts.

So a quick understanding is that a single user can have 15-20+ groups
those groups might have all users in them plus groups. The groups of
groups can link back to groups that the user may have already assigned.
We do know that we have atleast one circular group in our environment.
I have used the 'ignore_group_members' with some success. Ref:
http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsDSsbiAmg&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f


That article is what Jakub and I wrote. Jakub may have more suggestions
and there are some improvements in recent SSSD releases in RHEL 7.2.4.



________________________________
#####################################################################################
The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message.
#####################################################################################

--
Manage your subscription for the Freeipa-users mailing list:
http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsXftLjezA&u=https%3a%2f%2fwww%2eredhat%2ecom%2fmailman%2flistinfo%2ffreeipa-users
Go to http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OpOBsbSAyQ&u=http%3a%2f%2ffreeipa%2eorg for more info on the project





________________________________
#####################################################################################
The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message.
#####################################################################################

More information about the Freeipa-users mailing list