Thank you Alexander, that was the root cause. I added optimizations to my setup that you
together with Jakub described in this article:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg...
and things started working on the client side.
There is a one small glitch though. Upon a first getent passwd for a new user (one that I
didn't issue getent before) executed on a client it most likely still times out. I can
see that there is some communication on FreeIPA servers going on (judging by the log file
/var/log/sssd/sssd_ipa.domain.log). getent command times out but entries in the log file
keep on being added. When the log entries stop from being added anymore and I issue the
same getent command then it succeeds.
Could you please point me to the timeout parameter that would allow to fix this, if there
is any?
For a reference I paste my client/server sssd configs:
server:
[domain/ipa.domain]
debug_level = 9
id_provider = ipa
ipa_server_mode = True
ipa_server = ipa-server.ipa.domain
ipa_domain = ipa.domain
ipa_hostname = ipa-server.ipa.domain
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
enumerate = False
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
[sssd]
services = nss, pam, ifp, ssh, sudo
ignore_group_members=True
domains = ipa.domain
enumerate = False
ldap_use_tokengroups = false
[nss]
homedir_substring = /home
memcache_timeout = 600
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
----
client:
[domain/ipa.domain]
enumerate = False
debug_level=9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-client-centos6.shec.hrs.cc
chpass_provider = ipa
ipa_server = ipa-server.ipa.domain
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_auth_timeout = 3600
[sssd]
services = nss, sudo, pam, ssh
domains = ipa.domain
[nss]
homedir_substring = /home
[pam]
pam_id_timeout = 3600
[sudo]
[autofs]
[ssh]
[pac]
[ifp]