Hello,
I'm unable to ssh as an AD user to a freeipa client. I am, however able to ssh as an
AD user to a freeipa server. I can also ssh to a freeipa client AND server using a
FreeIPA account. Our IPA domain (
ipa.subdomain.contoso.com) is set up with a one-way
trust with
ad.contoso.com. Our AD is on the larger side with 400,000+ user accounts.
An ldbsearch on the client cache file returns 42 records, the same search on the server
cache returns 113551 records. Searching for a specific user; ldbsearch -H
/var/lib/sss/db/cache_ipa.subdomain.contoso.com.ldb
'(name=heidi-ad(a)ad.contoso.com)' returns zero records on the freeipa client and 1
record on the freeipa server.
Dig commands (dig -t SRV
_ldap._tcp.ipa.subdomain.contoso.com and dig -t SRV
_ldap._tcp.ad.contoso.com) also return expected results.
server:sssd.conf
https://privatebin.net/?42cff7bd431068d7#FmeM5p3R88U9oQd98UvoaVHZ3PzeZTGv...
client:sssd.conf
https://privatebin.net/?d4f20faca95236f4#D8WtjwDMaAB932W66YMgW5HtXkdfez1H...
I'm not sure what to key in on in the SSSD logs to identify what's going wrong
here and how to resolve it. I've attempted to fiddle with multiple timeout settings,
but haven't identified the right ones. I do see SSSD is reported as offline and this
very much feels like a communication issue. I have uploaded sanitized SSSD logs from
rl9-ipa-client1.in.subdomain.contoso.com and
freeipa2.ipa.subdomain.contoso.com for a
failed login attempt at the following:
https://privatebin.net/?1028b6754421174b#DDDuthsRbLjxt4rS1mr263MmJ2qjhLgL...
Thanks,
Heidi