On Thu, Jun 07, 2018 at 03:48:16PM -0000, Bart via FreeIPA-users wrote:
Thank you Alexander, that was the root cause. I added optimizations
to my setup that you together with Jakub described in this article:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg...
and things started working on the client side.
This still points to a performance-like issue. From some related
customer cases I've been working on lately I remember that increasing
the negative timeout (entry_negative_timeout, set this to minutes or
even hours) and also the cache_first=true options made a difference.
There's a tradeoff though with these options, please see the man pages.
There is a one small glitch though. Upon a first getent passwd for a new user (one that I
didn't issue getent before) executed on a client it most likely still times out. I can
see that there is some communication on FreeIPA servers going on (judging by the log file
/var/log/sssd/sssd_ipa.domain.log). getent command times out but entries in the log file
keep on being added. When the log entries stop from being added anymore and I issue the
same getent command then it succeeds.
Could you please point me to the timeout parameter that would allow to fix this, if there
is any?
For a reference I paste my client/server sssd configs:
server:
[domain/ipa.domain]
debug_level = 9
id_provider = ipa
ipa_server_mode = True
ipa_server = ipa-server.ipa.domain
ipa_domain = ipa.domain
ipa_hostname = ipa-server.ipa.domain
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
enumerate = False
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
[sssd]
services = nss, pam, ifp, ssh, sudo
ignore_group_members=True
domains = ipa.domain
enumerate = False
ldap_use_tokengroups = false
Please don't disable tokengroups unless you have a verified reason to do
so (this is just a general warning, I'm not even sure if disabling
tokengroups in the main domain section would disable them for the AD
subdomain).
> [nss]
> homedir_substring = /home
> memcache_timeout = 600
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
> [secrets]
>
> [session_recording]
>
> ----
> client:
>
> [domain/ipa.domain]
> enumerate = False
> debug_level=9
> cache_credentials = True
> krb5_store_password_if_offline = True
>
> ipa_domain = ipa.domain
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa-client-centos6.shec.hrs.cc
> chpass_provider = ipa
> ipa_server = ipa-server.ipa.domain
> ldap_tls_cacert = /etc/ipa/ca.crt
> krb5_auth_timeout = 3600
> [sssd]
> services = nss, sudo, pam, ssh
>
> domains = ipa.domain
> [nss]
> homedir_substring = /home
>
> [pam]
> pam_id_timeout = 3600
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...