Am Wed, Dec 13, 2023 at 11:49:00PM +0000 schrieb Ostrom, Erik via FreeIPA-users:
Hi,
I'm having some issues ssh'ing as an AD user to a freeipa client, but I can successfully ssh as the same user to the IPA master. Our IPA domain, ipa.subdomain.contoso.com, is set up with a one-way trust with ad.contoso.com (IPA trusts ADs users). I have the standard "allow all" HBAC rule in place on FreeIPA for testing purposes. ad.contoso.com is a relatively huge AD, with over 400,000 user accounts.
ssh erik-ipa@freeipa1.ipa.subdomain.contoso.com --- (IPA user to FreeIPA master), works ssh erik-ad@ad.contso.com@freeipa1.ipa.subdomain.contoso.com --- (AD user to FreeIPA master), works ssh erik-ipa@rl9-ipa-client1.in.subdomain.contoso.com --- (IPA user to FreeIPA client), works ssh erik-ad@ad.contoso.com@rl9-ipa-client1.in.subdomain.contoso.com --- (AD user to FreeIPA client), doesn't work
I'm not sure what to look at in the SSSD logs to see what's going wrong here. I have uploaded sanitized SSSD logs from rl9-ipa-client1.in.subdomain.contoso.com for a failed login attempt (listed above as not working) at the following link:https://privatebin.net/?55e82c73463ae145#A59jSajU1ZwEwr3nEKhPqsT8Um4QXqHhQ2d...
Hi,
according to the logs, the IPA server needs too much time to prepare the data of the AD user which the client requested.
(2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [ipa_s2n_get_acct_info_send] (0x0400): [RID#229] Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [erik-ad] to IPA server (2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [ipa_s2n_exop_send] (0x0400): [RID#229] Executing extended operation (2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [ipa_s2n_exop_send] (0x2000): [RID#229] ldap_extended_operation sent, msgid = 41 (2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_op_add] (0x2000): [RID#229] New operation 41 timeout 6 (2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_process_result] (0x2000): Trace: sh[0x55e456f262f0], connected[1], ops[0x55e456efac80], ldap[0x55e455ed5310] (2023-12-12 16:31:13): [be[ipa.subdomain.contoso.com]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (2023-12-12 16:31:19): [be[ipa.subdomain.contoso.com]] [sdap_op_timeout] (0x1000): [RID#229] Issuing timeout [ldap_opt_timeout] for message id 41
Typically this means that the server has to refresh some or all cached data of the user, which in this case will include all group-memberships and for some technical reasons this means refreshing all related expired groups and their members.
At least for the group members this can be speed up by setting
ignore_group_members = True subdomain_inherit = ignore_group_members
in the [domain/...] section on IPA servers and clients.
Another option is to set
refresh_expired_interval = 4000
in the [domain/...] sections on the IPA servers to make sure that SSSD will try every 4000s to refresh cached entries which are about to expire. As a result the IPA servers should be able to always reply to request form IPA client with cached data without the need to refresh it.
HTH
bye, Sumit
If anyone can tell what my issue is here, or if other logs would be helpful let me know. I appreciate the help!
Thanks, Erik
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hello
We have made the recommended changes by updating
ignore_group_members = True subdomain_inherit = ignore_group members
in the [domain/...] section on IPA servers and clients and updated refresh_expired_interval = 4000
Unfortunately we are still unable to log in to IPA clients using AD user accounts.
Sanitized logs from the freeipa client are available here https://privatebin.net/?92fe7e1e98968463#BVdn5hR2L5gkt3ryfvvzygWDhs2DsAYkA5y...
I see frequent entries indicating SSSD is offline, however when I view the status it appears to be online.
Heidi
freeipa-users@lists.fedorahosted.org