Am Wed, Dec 13, 2023 at 11:49:00PM +0000 schrieb Ostrom, Erik via FreeIPA-users:
Hi,
I'm having some issues ssh'ing as an AD user to a freeipa client, but I can
successfully ssh as the same user to the IPA master.
Our IPA domain,
ipa.subdomain.contoso.com, is set up with a one-way trust with
ad.contoso.com (IPA trusts ADs users). I have the standard "allow all" HBAC rule
in place on FreeIPA for testing purposes.
ad.contoso.com is a relatively huge AD, with
over 400,000 user accounts.
ssh erik-ipa(a)freeipa1.ipa.subdomain.contoso.com --- (IPA user to FreeIPA master), works
ssh erik-ad@ad.contso.com(a)freeipa1.ipa.subdomain.contoso.com --- (AD user to FreeIPA
master), works
ssh erik-ipa(a)rl9-ipa-client1.in.subdomain.contoso.com --- (IPA user to FreeIPA client),
works
ssh erik-ad@ad.contoso.com(a)rl9-ipa-client1.in.subdomain.contoso.com --- (AD user to
FreeIPA client), doesn't work
I'm not sure what to look at in the SSSD logs to see what's going wrong here. I
have uploaded sanitized SSSD logs from
rl9-ipa-client1.in.subdomain.contoso.com for a
failed login attempt (listed above as not working) at the following
link:https://privatebin.net/?55e82c73463ae145#A59jSajU1ZwEwr3nEKhPqsT8Um4...
Hi,
according to the logs, the IPA server needs too much time to prepare the
data of the AD user which the client requested.
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [ipa_s2n_get_acct_info_send]
(0x0400): [RID#229] Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [erik-ad]
to IPA server
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [ipa_s2n_exop_send] (0x0400):
[RID#229] Executing extended operation
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [ipa_s2n_exop_send] (0x2000):
[RID#229] ldap_extended_operation sent, msgid = 41
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_op_add] (0x2000): [RID#229]
New operation 41 timeout 6
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_process_result] (0x2000):
Trace: sh[0x55e456f262f0], connected[1], ops[0x55e456efac80], ldap[0x55e455ed5310]
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_process_result] (0x2000):
Trace: end of ldap_result list
(2023-12-12 16:31:19): [be[ipa.subdomain.contoso.com]] [sdap_op_timeout] (0x1000):
[RID#229] Issuing timeout [ldap_opt_timeout] for message id 41
Typically this means that the server has to refresh some or all cached
data of the user, which in this case will include all group-memberships
and for some technical reasons this means refreshing all related
expired groups and their members.
At least for the group members this can be speed up by setting
ignore_group_members = True
subdomain_inherit = ignore_group_members
in the [domain/...] section on IPA servers and clients.
Another option is to set
refresh_expired_interval = 4000
in the [domain/...] sections on the IPA servers to make sure that SSSD
will try every 4000s to refresh cached entries which are about to
expire. As a result the IPA servers should be able to always reply to
request form IPA client with cached data without the need to refresh it.
HTH
bye,
Sumit
If anyone can tell what my issue is here, or if other logs would be helpful let me know.
I appreciate the help!
Thanks,
Erik
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue