I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD server.
Ssh authentications are pretty slow, however, once I do get on, I find sudo commands often do not work for several minutes saying I am not in the "not in the sudoers file.". This is even though, I am in the same group on the access.conf file and a sudoers file.
I think the initial slowness is due to the fact that our AD system has lots of groups and I am part of many large groups with many users. I've been checking the sssd cache file, and I can see that ssh authentication does not even start until almost all groups I am a member of have been added to the cache. However, that does not explain why sudo is being delayed as the groups are already cached.
Has anyone got any advice about setting up a freeipa-client on Ubuntu to connect to a Redhat IPA server?
Has anyone else experienced difficulties with sudo commands?
Group membership not listing all the groups a person is a member off all the time. id <username>
*IPA Client.*
DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
# dpkg --list | grep freeipa ii freeipa-client 4.3.1-0ubuntu1 amd64 FreeIPA centralized identity framework -- client ii freeipa-common 4.3.1-0ubuntu1 all FreeIPA centralized identity framework -- common files
*IPA Server*
# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo)
# rpm -qa | grep "ipa-" sssd-ipa-1.15.2-50.el7_4.6.x86_64 ipa-common-4.5.0-21.el7_4.2.2.noarch ipa-server-4.5.0-21.el7_4.2.2.x86_64 ipa-client-common-4.5.0-21.el7_4.2.2.noarch ipa-client-4.5.0-21.el7_4.2.2.x86_64 ipa-server-common-4.5.0-21.el7_4.2.2.noarch ipa-server-trust-ad-4.5.0-21.el7_4.2.2.x86_64
Regards Tony D
Ubuntu 16.04 has broken sudo as of now, try installing sudo directly from sudo website (there is a deb compatible with ubuntu 16.04)
https://www.sudo.ws/download.html#binary
W dniu 15.12.2017 o 05:16, Tony Delov via FreeIPA-users pisze:
I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD server.
Ssh authentications are pretty slow, however, once I do get on, I find sudo commands often do not work for several minutes saying I am not in the "not in the sudoers file.". This is even though, I am in the same group on the access.conf file and a sudoers file.
I think the initial slowness is due to the fact that our AD system has lots of groups and I am part of many large groups with many users. I've been checking the sssd cache file, and I can see that ssh authentication does not even start until almost all groups I am a member of have been added to the cache. However, that does not explain why sudo is being delayed as the groups are already cached.
Has anyone got any advice about setting up a freeipa-client on Ubuntu to connect to a Redhat IPA server?
Has anyone else experienced difficulties with sudo commands?
Group membership not listing all the groups a person is a member off all the time. id <username>
*IPA Client.*
DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
# dpkg --list | grep freeipa ii freeipa-client 4.3.1-0ubuntu1 amd64 FreeIPA centralized identity framework -- client ii freeipa-common 4.3.1-0ubuntu1 all FreeIPA centralized identity framework -- common files
*IPA Server*
# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo)
# rpm -qa | grep "ipa-" sssd-ipa-1.15.2-50.el7_4.6.x86_64 ipa-common-4.5.0-21.el7_4.2.2.noarch ipa-server-4.5.0-21.el7_4.2.2.x86_64 ipa-client-common-4.5.0-21.el7_4.2.2.noarch ipa-client-4.5.0-21.el7_4.2.2.x86_64 ipa-server-common-4.5.0-21.el7_4.2.2.noarch ipa-server-trust-ad-4.5.0-21.el7_4.2.2.x86_64
Regards Tony D
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,How much RAM does the FreeIPA server have? Thanks
On Friday, 15 December 2017, 04:17:52 GMT, Tony Delov via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD server.
Ssh authentications are pretty slow, however, once I do get on, I find sudo commands often do not work for several minutes saying I am not in the "not in the sudoers file.". This is even though, I am in the same group on the access.conf file and a sudoers file.
I think the initial slowness is due to the fact that our AD system has lots of groups and I am part of many large groups with many users. I've been checking the sssd cache file, and I can see that ssh authentication does not even start until almost all groups I am a member of have been added to the cache. However, that does not explain why sudo is being delayed as the groups are already cached.
Has anyone got any advice about setting up a freeipa-client on Ubuntu to connect to a Redhat IPA server? Has anyone else experienced difficulties with sudo commands? Group membership not listing all the groups a person is a member off all the time.id <username>
IPA Client.
DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS" # dpkg --list | grep freeipa ii freeipa-client 4.3.1-0ubuntu1 amd64 FreeIPA centralized identity framework -- client ii freeipa-common 4.3.1-0ubuntu1 all FreeIPA centralized identity framework -- common files
IPA Server # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo)
# rpm -qa | grep "ipa-" sssd-ipa-1.15.2-50.el7_4.6.x86_64 ipa-common-4.5.0-21.el7_4.2.2.noarch ipa-server-4.5.0-21.el7_4.2.2.x86_64 ipa-client-common-4.5.0-21.el7_4.2.2.noarch ipa-client-4.5.0-21.el7_4.2.2.x86_64 ipa-server-common-4.5.0-21.el7_4.2.2.noarch ipa-server-trust-ad-4.5.0-21.el7_4.2.2.x86_64
RegardsTony D
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Fri, Dec 15, 2017 at 03:16:29PM +1100, Tony Delov via FreeIPA-users wrote:
I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD server.
Ssh authentications are pretty slow, however, once I do get on, I find sudo commands often do not work for several minutes saying I am not in the "not in the sudoers file.". This is even though, I am in the same group on the access.conf file and a sudoers file.
I think the initial slowness is due to the fact that our AD system has lots of groups and I am part of many large groups with many users. I've been checking the sssd cache file, and I can see that ssh authentication does not even start until almost all groups I am a member of have been added to the cache. However, that does not explain why sudo is being delayed as the groups are already cached.
I think this might be due to sudo running a PAM transaction and therefore SSSD preferring to be precise over fast and updating the groups again.
There will be some performance enhancements coming in 7.5, but in the meantime, I wonder if the hints at: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-i... would help?
Alternatively, some users restrict the groups they are a member of with the help of: https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html#...
freeipa-users@lists.fedorahosted.org