Hello,
After a primary DNS server problem, I have realized that the IDM client has a timeout of
60 s for the log in.
As the primary DNS was not working, server used the secondary DNS and it takes 4s for
resolving any name, as I use AD users, on the authentication phase, all AD servers must be
translated (9 servers) so it makes the authentication very slow and timeout of 60 s is
triggered. I have modified the resolv.conf to make the transition to the second DNS server
faster (resolving any name takes 2s), and then authentication is done on 48s so it works.
But what I want to know is how to modify those 60s of timeout. I have checked the logs
with debug_level = 9 and I don't see the "timeout" log.
I have also changed (on client side):
krb5_auth_timeout = 190
pam_id_timeout = 190
but it still have the timeout at 60s
the client is:
RHEL 6.10 (but I think it happens the same on RHEL 7)
sssd-client-1.13.3-60.el6_10.2.x86_64
ipa-client-3.0.0-51.el6.x86_64
sssd.conf:
[domain/IPAdomain]
krb5_auth_timeout = 190
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = IPAdomain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname =
CLIENT.domain.org
chpass_provider = ipa
ipa_server = _srv_, IPASERVER1, IPASERVER2
dns_discovery_domain = IPAdomain
[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = IPAdomain
default_domain_suffix = AD.domain
[nss]
filter_groups = root
filter_users = root,iccsecure,tomcat,oracle
reconnection_retries = 3
[pam]
reconnection_retries = 3
pam_id_timeout = 190
[sudo]
[ssh]
On the Server side:
RHEL 7.6
sssd-1.16.2-13.el7_6.8.x86_64
ipa-server-4.6.4-10.el7_6.3.x86_64
sssd.conf:
[domain/IPAdomain]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = IPAdomain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = IPASERVER1
chpass_provider = ipa
ipa_server = IPASERVER1
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomain_homedir = %o
[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = IPAdomain
[domain/IPAdomain/ADdomain]
ldap_search_base = ou=XXX,dc=XXXX,dc=XXXXX,dc=XXX
[nss]
filter_groups = root
filter_users = root, iccsecure, tomcat, oracle
reconnection_retries = 3
memcache_timeout = 600
homedir_substring = /home
[pam]
reconnection_retries = 3
[ssh]
[sudo]
I have attached the logs, timeout is triggered at 12:21:50
Thanks & Regards.