You are correct, debugging was only specified in the [domain/...] section. I have enabled
for nss and gathered logs again. The client and server times are indeed in sync.
I initiated my login attempt at approximately 10:16:30. At approximately 10:17:10 I was
presented with a prompt to enter my password. After entering my password I was again
presented with a password prompt. After entering multiple times with no success I waited
and eventually the connection attempt timed out.
Server Logs for this attempt
https://privatebin.net/?74adb14729c459fc#EhqWm6x2LVgfnL7iAmLZDFh3TtXpwgsH...
Client Logs for this attempt
https://privatebin.net/?1d3532466812bef2#C6ECF2RnRMEXVi7HGLd8iYvhoSmEw2uR...
It seems like a considerable amount of time is spent searching the AD groups a user is a
member of. For testing purposes, an AD account was created that is not a member of any
groups. This user was able to successfully log in. What additional steps should be taken
to account for AD's where users are members of many groups? To add to the complexity,
many of these groups are nested.
I've reviewed this document (
https://access.redhat.com/articles/2133801) and spent
time adjusting parameters with little success.
The sssd.conf on both client and server include the following in the [domain/...]
section:
subdomain_inherit = ignore_group_members
ignore_group_members = True
Should these be placed somewhere else instead? Are there other options that should be set
to account for large numbers of nested AD groups?
Thank you
Heidi