On Пят, 09 лют 2024, Heidi Hough via FreeIPA-users wrote:
Hello,
I'm unable to ssh as an AD user to a freeipa client. I am, however able to ssh as an AD user to a freeipa server. I can also ssh to a freeipa client AND server using a FreeIPA account. Our IPA domain (ipa.subdomain.contoso.com) is set up with a one-way trust with ad.contoso.com. Our AD is on the larger side with 400,000+ user accounts.
An ldbsearch on the client cache file returns 42 records, the same search on the server cache returns 113551 records. Searching for a specific user; ldbsearch -H /var/lib/sss/db/cache_ipa.subdomain.contoso.com.ldb '(name=heidi-ad@ad.contoso.com)' returns zero records on the freeipa client and 1 record on the freeipa server.
Dig commands (dig -t SRV _ldap._tcp.ipa.subdomain.contoso.com and dig -t SRV _ldap._tcp.ad.contoso.com) also return expected results.
server:sssd.conf https://privatebin.net/?42cff7bd431068d7#FmeM5p3R88U9oQd98UvoaVHZ3PzeZTGvS5V...
client:sssd.conf https://privatebin.net/?d4f20faca95236f4#D8WtjwDMaAB932W66YMgW5HtXkdfez1Ht1v...
I'm not sure what to key in on in the SSSD logs to identify what's going wrong here and how to resolve it. I've attempted to fiddle with multiple timeout settings, but haven't identified the right ones. I do see SSSD is reported as offline and this very much feels like a communication issue. I have uploaded sanitized SSSD logs from rl9-ipa-client1.in.subdomain.contoso.com and freeipa2.ipa.subdomain.contoso.com for a failed login attempt at the following: https://privatebin.net/?1028b6754421174b#DDDuthsRbLjxt4rS1mr263MmJ2qjhLgLHpy...
Thanks for the logs. Can you say where the logs from the IPA server start from? It would be best if you could provide tarballs of /var/log/sssd from both the client and the server at the same time period. With this pastebin it is impossible to differentiate logs from the client from the logs of the server.
(2024-02-09 11:35:00): [be[ipa.subdomain.contoso.com]] [ipa_s2n_get_acct_info_send] (0x0400): [RID#2] Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [heidi-ad] to IPA server (2024-02-09 11:35:00): [be[ipa.subdomain.contoso.com]] [ipa_s2n_exop_send] (0x0400): [RID#2] Executing extended operation (2024-02-09 11:35:00): [be[ipa.subdomain.contoso.com]] [ipa_s2n_exop_send] (0x2000): [RID#2] ldap_extended_operation sent, msgid = 15 (2024-02-09 11:35:00): [be[ipa.subdomain.contoso.com]] [sdap_op_add] (0x2000): [RID#2] New operation 15 timeout 6 (2024-02-09 11:35:00): [be[ipa.subdomain.contoso.com]] [sdap_process_result] (0x2000): Trace: sh[0x5591a0d6cde0], connected[1], ops[0x5591a0d7ae80], ldap[0x5591a0d721f0] (2024-02-09 11:35:00): [be[ipa.subdomain.contoso.com]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (2024-02-09 11:35:06): [be[ipa.subdomain.contoso.com]] [sdap_op_timeout] (0x1000): [RID#2] Issuing timeout [ldap_opt_timeout] for message id 15 (2024-02-09 11:35:06): [be[ipa.subdomain.contoso.com]] [sdap_call_op_callback] (0x3f7c0): [RID#2] LDAP operation [15][server: [172.16.50.102:389] IPA EXOP] seems slow, took more than 80% of timeout [6]. (2024-02-09 11:35:06): [be[ipa.subdomain.contoso.com]] [sdap_op_destructor] (0x1000): [RID#2] Abandoning operation 15 (2024-02-09 11:35:06): [be[ipa.subdomain.contoso.com]] [ipa_s2n_get_user_done] (0x0040): [RID#2] s2n exop request failed.
This says that a client has asked the server to resolve AD user but this operation took longer than expected timeout of 6 seconds and the client abandoned the request. You need to get logs from the IPA server at the same timeframe and see why it failed to complete in time.
ldap_search_timout is by default 6 seconds and you have no modification of that so this matches client abandoning a search.
Thanks, Heidi -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue