On Thu, Jan 07, 2021 at 09:23:26AM -0800, Suchismita Panda via FreeIPA-users wrote:
Hi,
The 'id' command and server login for an AD user is failing in some IPA
clients joined to the server recently. For other clients, the 'id' command
as well as server login for the AD user, is working fine. For clients
where AD login is working, we are also seeing recently, some amount of
slowness. Not sure what is causing these issues.
I can see in the client sssd domain logs, it is able to pull around 20
groups from the ipa master, but then it goes to timeout while getting
membership of a group.
Hi,
thanks for your patience. According to the logs you have send the IPA
client is running into timeouts when trying to get user or group
information from an IPA server. I assume that the related information is
expired in the SSSD cache of the related IPA servers as well and has to
be refreshed before it can be send to the client. If the user is a
member of many group or if there are groups with many members this might
take some time and cause the timeout.
With version of SSSD are you using on the IPA servers? I'm asking
because in recent version it is possible to let SSSD refresh the cache
unconditionally also for users from trusted domain, see
refresh_expired_interval entry in man sssd.conf for details.
Another option might be to set ignore_group_members as described e.g. in
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg...
Finally you can also try to increase the ldap_search_timeout on the IPA
client to let the client wait longer for the reply from the server.
Although it will now wait longer for an individual server it might help
to speed up the overall lookup time. If the timeout is reached SSSD will
switch to a different server and send the same request. If the cache is
expired on the second server as well this server has to start the same
operations as the first and maybe the client will run into a timeout
again. Given the first server more time to send the reply might avoid
the failover and the overall time might be shorter.
HTH
bye,
Sumit
Any help is appreciated.
TIA
Suchi.
On Mon, Jan 4, 2021 at 11:19 PM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> On Mon, Jan 04, 2021 at 09:48:54AM -0800, Suchismita Panda via
> FreeIPA-users wrote:
> > Hi,
> >
> > Thanks for the reply.
> >
> > Yes the replica has been configured with AD Trust Agent. Any other
> pointer
> > would be really helpful.
>
> Hi,
>
> please add more log context, 's2n exop request failed.' might have
> different reasons, e.g. timeouts, object wan not found etc.
>
> Does the 'id' for an AD user command fail on all clients? In this case
> please check the output of the same 'id' command on the master or
> replica if all groups can be resolved. If there is a GID in the output
> without a matching group-name you should add a matching group so that
> all group can be resolved.
>
> bye,
> Sumit
>
> >
> > Thanks
> > Suchi
> >
> > On Mon, Jan 4, 2021 at 12:47 AM Florence Blanc-Renaud via FreeIPA-users <
> > freeipa-users(a)lists.fedorahosted.org> wrote:
> >
> > > On 12/31/20 12:51 AM, Suchismita Panda via FreeIPA-users wrote:
> > > > Hi,
> > > >
> > > > We have a pair of FreeIPA servers (1 master and 1 replica)
> > > > Freeipa server version 4.6.8
> > > >
> > > > Recently when we are trying to enroll any new freeipa client to the
> > > > server, the installation goes successful, but AD user login does
> > > > not work. Even the client fails to retrieve AD user information
> using id
> > > > command. This works fine on the FreeIPA server.
> > > >
> > > Hi,
> > >
> > > Is the IdM replica configured as trust controller / trust agent or not
> > > configured with any trust role? If the replica is neither controller
> not
> > > agent, this may explain the behavior that you are seeing. For more
> > > information please refer to the "Trust Controllers and Trust
Agents"
> > > chapter [1].
> > >
> > > HTH,
> > > flo
> > >
> > > [1]
> > >
> > >
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> > > > Freeipa local user login is working fine on the client.
> > > >
> > > > There are other FreeIPA clients, where the AD user login is working
> > > > fine. We generally use Ansible to join FreeIPA. So the installation
> > > > process is also the same for all servers. Not sure why, recently it
> does
> > > > not work. Any advice would be really helpful.
> > > >
> > > > Freeipa client version 4.8.6
> > > >
> > > > In the logs mostly I am seeing below error -
> > > >
> > > > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> > > >
> > > > Thanks
> > > > Suchi
> > > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> > > freeipa-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
> > >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > >
>
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...