Hello,
I'm unable to ssh as an AD user to a freeipa client. I am, however able to ssh as an AD user to a freeipa server. I can also ssh to a freeipa client AND server using a FreeIPA account. Our IPA domain (ipa.subdomain.contoso.com) is set up with a one-way trust with ad.contoso.com. Our AD is on the larger side with 400,000+ user accounts.
An ldbsearch on the client cache file returns 42 records, the same search on the server cache returns 113551 records. Searching for a specific user; ldbsearch -H /var/lib/sss/db/cache_ipa.subdomain.contoso.com.ldb '(name=heidi-ad@ad.contoso.com)' returns zero records on the freeipa client and 1 record on the freeipa server.
Dig commands (dig -t SRV _ldap._tcp.ipa.subdomain.contoso.com and dig -t SRV _ldap._tcp.ad.contoso.com) also return expected results.
server:sssd.conf https://privatebin.net/?42cff7bd431068d7#FmeM5p3R88U9oQd98UvoaVHZ3PzeZTGvS5V...
client:sssd.conf https://privatebin.net/?d4f20faca95236f4#D8WtjwDMaAB932W66YMgW5HtXkdfez1Ht1v...
I'm not sure what to key in on in the SSSD logs to identify what's going wrong here and how to resolve it. I've attempted to fiddle with multiple timeout settings, but haven't identified the right ones. I do see SSSD is reported as offline and this very much feels like a communication issue. I have uploaded sanitized SSSD logs from rl9-ipa-client1.in.subdomain.contoso.com and freeipa2.ipa.subdomain.contoso.com for a failed login attempt at the following: https://privatebin.net/?1028b6754421174b#DDDuthsRbLjxt4rS1mr263MmJ2qjhLgLHpy...
Thanks, Heidi