[Freeipa-users] Unable to resolve AD users from IPA clients

Jakub Hrozek jhrozek at redhat.com
Tue Jan 3 22:06:26 UTC 2017 

On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Karásek wrote:
> Hi, 
> 
> I have trouble with resolving AD users from my IPA clients. 
> 
> Environment: 2x IPA server with trust into AD - both IPA servers and clients running latest rhel 7.3. 
> 
> IPA domain: vs.example.com 
> AD domain: example.com, cen.example.com 
> 
> All tstxxxxx users are in cen.example.com but their UPN is set to tstxxxxx at example.com 
> 
> I can run id and getent passwd commands without problem from both IPA servers: 
> 
> id tst99655 at example.com 
> uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) 
> 
> getent tst99655 at example.com 
> tst99655 at cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash 
> 
> But from client: 
> 
> root at trh7clnt02:~# id tst99655 at example.com 
> id: tst99655 at example.com: no such user 
> root at trh7clnt02:~#getent passwd tst99655 at example.com 
> ... no reply 
> 
> 
> But when I run on client: 
> getent group csunix at cen.example.com - it takes more then 30s 
> csunix at cen.example.com:*:5001: .... and really long list of users 
> 
> Then again from client: 
> 
> root at trh7clnt02:~# id tst99655 at example.com 
> uid=20018(tst99655 at cen.example.com) gid=5001(csunix) groups=5001(csunix) 
> 
> root at trh7clnt02:~# getent passwd tst99655 at example.com 
> tst99655 at cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash 
> 
> This time it works and it keeps working until I clean the sssd cache on client. Then I have to run that getent group csunix command again. 
> 
> I would say it is some timeout issue with enumerating csunix group. I have tried to fix it by adding: 
> 
> ldap_search_timeout = 50 

I don't think this would be related to the searches timing out but
probably parsing and storing the entries on the server and the client.

Could you try adding this on the server side's sssd.conf?

[domain/domname]
subdomain_inherit = ignore_group_members
ignore_group_members = True

By the way, did you install 7.3 cleanly or did you upgrade? And if you
upgraded, did you ever removed the cache post-upgrade on the server?

There's been some improvements related to performance in 7.3 and even
more are coming in 7.4.

More information about the Freeipa-users mailing list