Hello,

 

After a primary DNS server problem, I have realized that the IDM client has a timeout of 60 s for the log in.

As the primary DNS was not working, server used the secondary DNS and it takes 4s for resolving any name, as I use AD users, on the authentication phase, all AD servers must be translated (9 servers) so it makes the authentication very slow and timeout of 60 s is triggered. I have modified the resolv.conf to make the transition to the second DNS server faster (resolving any name takes 2s), and then authentication is done on 48s so it works.

But what I want to know is how to modify those 60s of timeout. I have checked the logs with debug_level = 9 and I don’t see the “timeout” log.

I have also changed (on client side):

krb5_auth_timeout = 190

pam_id_timeout = 190

but it still have the timeout at 60s

 

the client is:

RHEL 6.10 (but I think it happens the same on RHEL 7)

sssd-client-1.13.3-60.el6_10.2.x86_64

ipa-client-3.0.0-51.el6.x86_64

 

sssd.conf:

[domain/IPAdomain]

krb5_auth_timeout = 190

cache_credentials = True

krb5_store_password_if_offline = True

ipa_domain = IPAdomain

id_provider = ipa

auth_provider = ipa

access_provider = ipa

ldap_tls_cacert = /etc/ipa/ca.crt

ipa_hostname = CLIENT.domain.org

chpass_provider = ipa

ipa_server = _srv_, IPASERVER1, IPASERVER2

dns_discovery_domain = IPAdomain

[sssd]

config_file_version = 2

services = nss, sudo, pam, ssh

domains = IPAdomain

default_domain_suffix = AD.domain

[nss]

filter_groups = root

filter_users = root,iccsecure,tomcat,oracle

reconnection_retries = 3

[pam]

reconnection_retries = 3

pam_id_timeout = 190

[sudo]

[ssh]

 

On the Server side:

RHEL 7.6

sssd-1.16.2-13.el7_6.8.x86_64

ipa-server-4.6.4-10.el7_6.3.x86_64

 

sssd.conf:

[domain/IPAdomain]

cache_credentials = True

krb5_store_password_if_offline = True

ipa_domain = IPAdomain

id_provider = ipa

auth_provider = ipa

access_provider = ipa

ipa_hostname = IPASERVER1

chpass_provider = ipa

ipa_server = IPASERVER1

ipa_server_mode = True

ldap_tls_cacert = /etc/ipa/ca.crt

subdomain_homedir = %o

[sssd]

config_file_version = 2

services = nss, sudo, pam, ssh

domains = IPAdomain

[domain/IPAdomain/ADdomain]

ldap_search_base = ou=XXX,dc=XXXX,dc=XXXXX,dc=XXX

[nss]

filter_groups = root

filter_users = root, iccsecure, tomcat, oracle

reconnection_retries = 3

memcache_timeout = 600

homedir_substring = /home

[pam]

reconnection_retries = 3

[ssh]

[sudo]

 

I have attached the logs, timeout is triggered at 12:21:50

 

Thanks & Regards.