[Freeipa-users] Unable to resolve AD users from IPA clients
Jan Karásek
jan.karasek at elostech.cz
Tue Jan 3 14:39:19 UTC 2017
Hi,
I have trouble with resolving AD users from my IPA clients.
Environment: 2x IPA server with trust into AD - both IPA servers and clients running latest rhel 7.3.
IPA domain: vs.example.com
AD domain: example.com, cen.example.com
All tstxxxxx users are in cen.example.com but their UPN is set to tstxxxxx at example.com
I can run id and getent passwd commands without problem from both IPA servers:
id tst99655 at example.com
uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group)
getent tst99655 at example.com
tst99655 at cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash
But from client:
root at trh7clnt02:~# id tst99655 at example.com
id: tst99655 at example.com: no such user
root at trh7clnt02:~#getent passwd tst99655 at example.com
... no reply
But when I run on client:
getent group csunix at cen.example.com - it takes more then 30s
csunix at cen.example.com:*:5001: .... and really long list of users
Then again from client:
root at trh7clnt02:~# id tst99655 at example.com
uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix)
root at trh7clnt02:~# getent passwd tst99655 at example.com
tst99655 at cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash
This time it works and it keeps working until I clean the sssd cache on client. Then I have to run that getent group csunix command again.
I would say it is some timeout issue with enumerating csunix group. I have tried to fix it by adding:
ldap_search_timeout = 50
into sssd.conf on both server and client(sssd restarted), but without effect.
Here is my sssd.conf from client:
[domain/vs.example.com]
debug_level = 7
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = vs.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = trh7clnt02.vs.example.com
chpass_provider = ipa
ipa_server = tidmipa01.vs.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_search_timeout = 50
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = vs.example.com
[nss]
homedir_substring = /home
debug_level = 7
[pam]
debug_level = 7
[sudo]
[autofs]
[ssh]
[pac]
debug_level = 7
[ifp]
IPA server sssd.conf:
[domain/vs.example.com]
debug_level = 7
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = vs.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = tidmipa01.vs.example.com
chpass_provider = ipa
ipa_server = tidmipa01.vs.example.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_id_mapping = False
ldap_search_timeout = 20
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = vs.example.com
[nss]
memcache_timeout = 600
debug_level = 7
homedir_substring = /home
[pam]
debug_level = 7
[sudo]
debug_level = 7
[autofs]
debug_level = 7
[ssh]
debug_level = 7
[pac]
debug_level = 7
[ifp]
debug_level = 7
Any suggestion how to fix that ? I can add logs from both successful and unsuccessful try but they are quite long.
Thank you.
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170103/3cdf1cbb/attachment.htm>
More information about the Freeipa-users
mailing list