Hello all,
I've pretty much exhausted my searching in order to find a solution to
a problem I've been working on for about a week now, and now I find
myself grasping at straws.
Basically, AD trust user lookups on IPA clients fail several times in
a row before finally returning results (after 8-20 seconds). However,
this does not happen on the IPA servers - even after clearing caches.
Furthermore, querying the same list of users against a non IPA Linux
client that connects directly to our AD domain using nslcd has no
issues querying the same list of users.
From what I understand regarding the anatomy of the FreeIPA - AD Trust
relationship, the FreeIPA servers' sssd caches are queried first by
FreeIPA clients and if there is no result, then the FreeIPA server
queries the AD domain controllers, receives results, caches them, and
then provides the results to the FreeIPA client.
I've tried adjusting the sssd.conf file on both the server and the
client, without any expected results:
ignore_group_members = True
ldap_purge_cache_timeout = (various values)
memcache_timeout = (various values)
cache_first = (various values)
ldap_opt_timeout = (various values)
ldap_search_timeout = (various values)
The trust was established using the range type of "ipa-ad-trust-posix"
since each user has a unique Posix UID and a shared unique Posix GID
(no AD groups are returned).
I've attached logs (dirsrv and sssd) from the IPA server I directly
specified via the client sssd.conf and logs from the client itself.
Any pointers and/or suggestions would be extremely helpful!
Thank you,
John DeSantis