[Freeipa-users] Unable to resolve AD users from IPA clients

Tue Jan 3 14:39:19 UTC 2017

Hi, 

I have trouble with resolving AD users from my IPA clients. 

Environment: 2x IPA server with trust into AD - both IPA servers and clients running latest rhel 7.3. 

IPA domain: vs.example.com 
AD domain: example.com, cen.example.com 

All tstxxxxx users are in cen.example.com but their UPN is set to tstxxxxx at example.com 

I can run id and getent passwd commands without problem from both IPA servers: 

id tst99655 at example.com 
uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) 

getent tst99655 at example.com 
tst99655 at cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash 

But from client: 

root at trh7clnt02:~# id tst99655 at example.com 
id: tst99655 at example.com: no such user 
root at trh7clnt02:~#getent passwd tst99655 at example.com 
... no reply 

But when I run on client: 
getent group csunix at cen.example.com - it takes more then 30s 
csunix at cen.example.com:*:5001: .... and really long list of users 

Then again from client: 

root at trh7clnt02:~# id tst99655 at example.com 
uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix) 

root at trh7clnt02:~# getent passwd tst99655 at example.com 
tst99655 at cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash 

This time it works and it keeps working until I clean the sssd cache on client. Then I have to run that getent group csunix command again. 

I would say it is some timeout issue with enumerating csunix group. I have tried to fix it by adding: 

ldap_search_timeout = 50 

into sssd.conf on both server and client(sssd restarted), but without effect. 
Here is my sssd.conf from client: 

[domain/vs.example.com] 
debug_level = 7 
cache_credentials = True 
krb5_store_password_if_offline = True 
ipa_domain = vs.example.com 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ipa_hostname = trh7clnt02.vs.example.com 
chpass_provider = ipa 
ipa_server = tidmipa01.vs.example.com 
ldap_tls_cacert = /etc/ipa/ca.crt 
ldap_search_timeout = 50 

[sssd] 
services = nss, sudo, pam, ssh 
config_file_version = 2 
domains = vs.example.com 
[nss] 
homedir_substring = /home 
debug_level = 7 
[pam] 
debug_level = 7 
[sudo] 
[autofs] 
[ssh] 
[pac] 
debug_level = 7 
[ifp] 

IPA server sssd.conf: 

[domain/vs.example.com] 
debug_level = 7 
cache_credentials = True 
krb5_store_password_if_offline = True 
ipa_domain = vs.example.com 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ipa_hostname = tidmipa01.vs.example.com 
chpass_provider = ipa 
ipa_server = tidmipa01.vs.example.com 
ipa_server_mode = True 
ldap_tls_cacert = /etc/ipa/ca.crt 
ldap_id_mapping = False 
ldap_search_timeout = 20 
[sssd] 
services = nss, sudo, pam, ssh 
config_file_version = 2 
domains = vs.example.com 
[nss] 
memcache_timeout = 600 
debug_level = 7 
homedir_substring = /home 
[pam] 
debug_level = 7 
[sudo] 
debug_level = 7 
[autofs] 
debug_level = 7 
[ssh] 
debug_level = 7 
[pac] 
debug_level = 7 
[ifp] 
debug_level = 7 

Any suggestion how to fix that ? I can add logs from both successful and unsuccessful try but they are quite long. 

Thank you. 
Jan 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170103/3cdf1cbb/attachment.htm>