[Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48

Sumit Bose sbose at redhat.com
Fri Nov 18 13:02:15 UTC 2016 

On Fri, Nov 18, 2016 at 12:09:41PM +0100, rajat gupta wrote:
> Hi,
> 
> 
> I removed the pam_winbind module. User are able to login now. But some time
> they are not. Below are logs when user are not able to login.  Also SSH

see comment at the end of the email.

> login  is very slow for AD user. I am using sssd 1.4

Please note that SSSD does more than a simple kinit, it will validate
the returned TGT of the user by requesting a service ticket for a
service form the local keytab. This requires for AD users at least one
round trip to an AD DC and another one to the IPA server. If the AD user
is coming from a member domain in the AD forest and not from the forest
root there are even more round trips. 


> =============================
> rpm -qa | grep sssd
> sssd-krb5-common-1.14.0-43.el7.x86_64
> python-sssdconfig-1.14.0-43.el7.noarch
> sssd-ldap-1.14.0-43.el7.x86_64
> sssd-client-1.14.0-43.el7.x86_64
> sssd-ipa-1.14.0-43.el7.x86_64
> sssd-proxy-1.14.0-43.el7.x86_64
> sssd-common-1.14.0-43.el7.x86_64
> sssd-ad-1.14.0-43.el7.x86_64
> sssd-1.14.0-43.el7.x86_64
> sssd-krb5-1.14.0-43.el7.x86_64
> sssd-common-pac-1.14.0-43.el7.x86_64
> ===========================
> 
> =====================================
> My sssd.conf on ipa clinet
> 
> cat /etc/sssd/sssd.conf
> [domain/ipa.preprod.local]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.ipadomain.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ilt-gif-ipa02.ipa.ipadomain.local
> chpass_provider = ipa
> ipa_server = _srv_, ilt-gif-ipa01.ipa.ipadomain.local
> ldap_tls_cacert = /etc/ipa/ca.crt
> debug_level = 10
> krb5_use_enterprise_principal = True
> 
> 
> 
> [sssd]
> default_domain_suffix = corp.addomain.com
> services = nss, sudo, pam, ssh
> 
> domains = ipa.ipadomain.local
> debug_level = 10
> 
> [nss]
> override_homedir = /home/%u
> debug_level = 10
> 
> 
> 
> [pam]
> debug_level = 10
> 
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> debug_level = 10
> 
> 
> [pac]
> 
> [ifp]
> ==============================================
> 
> 
> 
...
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [main] (0x0400):
> krb5_child started.
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [unpack_buffer]
> (0x1000): total buffer size: [168]
> (Fri Nov 18 11:46:25 2016) [[sssd[krb5_child[16084]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1007629326] gid [1007629326] validate [true]
> enterprise principal [false] offline [true] UPN [Subaranchan.T at MYDOMAON.COM]

SSSD is in offline mode again, if the user never successfully login in
with a password authentication will fail. You should check the SSSD
domain log to figure out why SSSD switches into offline mode.

HTH

bye,
Sumit

More information about the Freeipa-users mailing list