Hello,
I've successfully setup'ed sssd on our systems to connect to our Microsoft AD with ldap authentication, now i want to use kerberos instead, and have I of course ran into some problems :)
To start with, I'm not to familiar with kerberos so go easy on me here.
I've successfully created a machineaccount in AD (with msktutil, also got it working with samba/net join) and obtained a kerberos keytab. A user can obtain a ticket by running 'kinit foouser', thereafter he/she can run for example 'ldapsearch -b 'ou=xx,dc=xx,dc=xx,dc=xx' -Omaxssf=0 "(&(objectclass=user)(cn=xx))" uid' successfully.
Here's to my question, (maybe this rather should be in a kerberos mailinglist, or maybe i should read a book however it's easiest to ask here :)) Is the keytab used by sssd to authenticate to the kdc, is this even how it works ? Since the sssd is runned by root and root has no ticket, i figured it would work that way, but maybe I'm mistaken, maybe it's suppose to work in some other way ?
Here's the krb5 part of the sssd.conf auth_provider = krb5 krb5_kdcip = 123.123.123.123 krb5_realm = foo krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 krb5_keytab = /etc/krb5.keytab
When i start sssd with -d10 i cant really see much messages about the kerberos authentication whether it fails or not, however i can see 'Search result: Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece' which suggest that i cannot bind to ldap, right ?
Any suggestions where to go from here, ?
Best regards, Patrik Martinsson, Sweden.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/02/2010 10:06 AM, Patrik Martinsson wrote:
Hello,
I've successfully setup'ed sssd on our systems to connect to our Microsoft AD with ldap authentication, now i want to use kerberos instead, and have I of course ran into some problems :)
To start with, I'm not to familiar with kerberos so go easy on me here.
I've successfully created a machineaccount in AD (with msktutil, also got it working with samba/net join) and obtained a kerberos keytab. A user can obtain a ticket by running 'kinit foouser', thereafter he/she can run for example 'ldapsearch -b 'ou=xx,dc=xx,dc=xx,dc=xx' -Omaxssf=0 "(&(objectclass=user)(cn=xx))" uid' successfully.
Here's to my question, (maybe this rather should be in a kerberos mailinglist, or maybe i should read a book however it's easiest to ask here :)) Is the keytab used by sssd to authenticate to the kdc, is this even how it works ? Since the sssd is runned by root and root has no ticket, i figured it would work that way, but maybe I'm mistaken, maybe it's suppose to work in some other way ?
SSSD does not authenticate against a KDC. We can validate the TGT with a host keytab, however (this proves that the response came from a real KDC). This would be done by setting: krb5_keytab = /etc/krb5.keytab krb5_validate = True
That said, I think this is irrelevant to the issue at hand.
Here's the krb5 part of the sssd.conf auth_provider = krb5 krb5_kdcip = 123.123.123.123 krb5_realm = foo krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 krb5_keytab = /etc/krb5.keytab
When i start sssd with -d10 i cant really see much messages about the kerberos authentication whether it fails or not,
Instead of starting with -d10, start with --debug-to-files and look in /var/log/sssd. Kerberos authentication errors will appear in /var/log/sssd/krb5_child.log and all other errors for this domain should appear in /var/log/sssd/sssd_<domain>.log
however i can see
'Search result: Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece' which suggest that i cannot bind to ldap, right ?
Would you mind including the LDAP portion of your sssd.conf? This issue seems to be with LDAP, not Kerberos.
Any suggestions where to go from here, ?
Best regards, Patrik Martinsson, Sweden.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
Ok, thanks fior quick reply.
Changed to, sssd --debug-to-files instead. Barely nothing shows up in those logs, if i don't use it with the -d10 option. Even thou -d10 is used, nothing is printed to the krb5_child.log, so i guess maybe the kerberos part is ok.
Here's the ldap part
ldap_uri = ldaps://xx:636 ldap_schema = rfc2307bis
ldap_search_base = DC=xx,DC=xxxx,DC=xx ldap_user_search_scope = sub ldap_user_search_base = ou=People,dc=xx,dc=xx,dc=xx ldap_group_search_base = ou=Groups,dc=xx,dc=xx,dc=xx
ldap_user_object_class = person ldap_user_name = cn ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = msSFUHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_gecos = mail
ldap_group_object_class = Group ldap_group_name = cn ldap_group_gid_number = msSFU30GidNumber ldap_force_upper_case_realm = True
ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/cacerts/CADOUBLE.cer ldap_tls_cacertdir = /etc/openldap/cacerts
If i change, auth_provider to ldap instead of krb5 and add, ldap_default_bind_dn = cn=xx,ou=People,dc=xx,dc=xx,dc=xx ldap_default_authtok_type = password ldap_default_authtok = xx
Then i got the expected result. It's only when i change sssd to use krb authentication it fails.
Thanks again.
Best regards, Patrik Martinsson, Sweden.
On 08/02/2010 04:13 PM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/02/2010 10:06 AM, Patrik Martinsson wrote:
Hello,
I've successfully setup'ed sssd on our systems to connect to our Microsoft AD with ldap authentication, now i want to use kerberos instead, and have I of course ran into some problems :)
To start with, I'm not to familiar with kerberos so go easy on me here.
I've successfully created a machineaccount in AD (with msktutil, also got it working with samba/net join) and obtained a kerberos keytab. A user can obtain a ticket by running 'kinit foouser', thereafter he/she can run for example 'ldapsearch -b 'ou=xx,dc=xx,dc=xx,dc=xx' -Omaxssf=0 "(&(objectclass=user)(cn=xx))" uid' successfully.
Here's to my question, (maybe this rather should be in a kerberos mailinglist, or maybe i should read a book however it's easiest to ask here :)) Is the keytab used by sssd to authenticate to the kdc, is this even how it works ? Since the sssd is runned by root and root has no ticket, i figured it would work that way, but maybe I'm mistaken, maybe it's suppose to work in some other way ?
SSSD does not authenticate against a KDC. We can validate the TGT with a host keytab, however (this proves that the response came from a real KDC). This would be done by setting: krb5_keytab = /etc/krb5.keytab krb5_validate = True
That said, I think this is irrelevant to the issue at hand.
Here's the krb5 part of the sssd.conf auth_provider = krb5 krb5_kdcip = 123.123.123.123 krb5_realm = foo krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 krb5_keytab = /etc/krb5.keytab
When i start sssd with -d10 i cant really see much messages about the kerberos authentication whether it fails or not,
Instead of starting with -d10, start with --debug-to-files and look in /var/log/sssd. Kerberos authentication errors will appear in /var/log/sssd/krb5_child.log and all other errors for this domain should appear in /var/log/sssd/sssd_<domain>.log
however i can see
'Search result: Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece' which suggest that i cannot bind to ldap, right ?
Would you mind including the LDAP portion of your sssd.conf? This issue seems to be with LDAP, not Kerberos.
Any suggestions where to go from here, ?
Best regards, Patrik Martinsson, Sweden.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxW0nUACgkQeiVVYja6o6NyhwCfdEn0TqA/UlwaaxZGH5k3E+oT QEYAnR87flpKlSpgrABs9w/qcwqV2NVd =L9GF -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/02/2010 10:38 AM, Patrik Martinsson wrote:
If i change, auth_provider to ldap instead of krb5 and add, ldap_default_bind_dn = cn=xx,ou=People,dc=xx,dc=xx,dc=xx ldap_default_authtok_type = password ldap_default_authtok = xx
Then i got the expected result. It's only when i change sssd to use krb authentication it fails.
Try leaving the ldap_default_* options alone and just changing auth_provider = krb5 krb5_kdcip = <IP or FQDN>
The options you have set above have nothing to do with authentication. They're used to set the bind type that SSSD itself users to query the LDAP server for the list of acceptable usernames. It's not used for authenticating the users themselves.
So when you removed those lines to set up Kerberos, you made it so that the SSSD cannot look up usernames, and thus would not be able to perform an authentication against Kerberos.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
Ok, thanks again for the patience.
I've realized that I misunderstood that part about the authentication and the binding against ldap, thanks very much for the explanation.
Now it works correctly with the lookup of the users, however i cant get it to work with pam, i havent digged that deep yet, but here's what i did.
Added the pam_sss.so to /etc/pam/system-auth accourding to your website and tried to log in and realized it didn't work. It's definitely contacting sssd and sssd is trying to look up the user but fails for some reason, I tried with both auth_providers (krb/ldap) and both yield the same results, here's the log, maybe you have some suggestions to that too ?
As i said earlier, a regular kinit username works so the kerberos config should be ok.
If i run, sssd --debug-to-files with auth_provider krb5 the krb5_child.log is empty.
Here's how it looks when i use the -d10 and sshing to the machine with auth_provide krb5.
---- (Mon Aug 2 17:22:06 2010) [sssd[nss]] [get_client_cred] (9): Client creds: euid[0] egid[0] pid[26077]. (Mon Aug 2 17:22:06 2010) [sssd[nss]] [accept_fd_handler] (4): Client connected! (Mon Aug 2 17:22:06 2010) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1]. (Mon Aug 2 17:22:06 2010) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1]. (Mon Aug 2 17:22:06 2010) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [xx] from [<ALL>] (Mon Aug 2 17:22:06 2010) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [xx@XX] (Mon Aug 2 17:22:06 2010) [sssd[nss]] [nss_cmd_getpwnam_callback] (6): Returning info for user [xx] (Mon Aug 2 17:22:07 2010) [sssd] [services_startup_timeout] (6): Handling timeout (Mon Aug 2 17:22:12 2010) [sssd] [service_check_alive] (4): Checking service XX(26074) is still alive (Mon Aug 2 17:22:12 2010) [sssd] [service_send_ping] (4): Pinging XX (Mon Aug 2 17:22:12 2010) [sssd] [sbus_add_timeout] (8): 0xd74080 (Mon Aug 2 17:22:12 2010) [sssd] [service_check_alive] (4): Checking service nss(26075) is still alive (Mon Aug 2 17:22:12 2010) [sssd] [service_send_ping] (4): Pinging nss (Mon Aug 2 17:22:12 2010) [sssd] [sbus_add_timeout] (8): 0xd71800 (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [sbus_dispatch] (9): dbus conn: 164A330 (Mon Aug 2 17:22:12 2010) [sssd] [service_check_alive] (4): (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [sbus_dispatch] (9): Checking service pam(26076) is still alive Dispatching. (Mon Aug 2 17:22:12 2010) [sssd] [service_send_ping] (4): Pinging pam (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [sbus_message_handler] (9): Received SBUS method [ping] (Mon Aug 2 17:22:12 2010) [sssd] [sbus_add_timeout] (8): 0xd700c0 (Mon Aug 2 17:22:12 2010) [sssd[nss]] [sbus_dispatch] (9): dbus conn: E9F3F0 (Mon Aug 2 17:22:12 2010) [sssd[nss]] [sbus_dispatch] (9): Dispatching. (Mon Aug 2 17:22:12 2010) [sssd] [sbus_remove_timeout] (8): (Mon Aug 2 17:22:12 2010) [sssd[nss]] [sbus_message_handler] (9): 0xd74080 Received SBUS method [ping] (Mon Aug 2 17:22:12 2010) [sssd] [sbus_dispatch] (9): (Mon Aug 2 17:22:12 2010) [sssd[pam]] [sbus_dispatch] (9): dbus conn: D71C70 dbus conn: 9EEF50 (Mon Aug 2 17:22:12 2010) [sssd] [sbus_dispatch] (9): (Mon Aug 2 17:22:12 2010) [sssd[pam]] [sbus_dispatch] (9): Dispatching. Dispatching. (Mon Aug 2 17:22:12 2010) [sssd] [ping_check] (4): Service XX replied to ping (Mon Aug 2 17:22:12 2010) [sssd[pam]] [sbus_message_handler] (9): Received SBUS method [ping] (Mon Aug 2 17:22:12 2010) [sssd] [sbus_remove_timeout] (8): 0xd71800 (Mon Aug 2 17:22:12 2010) [sssd] [sbus_dispatch] (9): dbus conn: D746C0 (Mon Aug 2 17:22:12 2010) [sssd] [sbus_dispatch] (9): Dispatching. (Mon Aug 2 17:22:12 2010) [sssd] [ping_check] (4): Service nss replied to ping (Mon Aug 2 17:22:12 2010) [sssd] [sbus_remove_timeout] (8): 0xd700c0 (Mon Aug 2 17:22:12 2010) [sssd] [sbus_dispatch] (9): dbus conn: D736E0 (Mon Aug 2 17:22:12 2010) [sssd] [sbus_dispatch] (9): Dispatching. (Mon Aug 2 17:22:12 2010) [sssd] [ping_check] (4): Service pam replied to ping (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [xx] from [<ALL>] (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [xx@XX] (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam_callback] (6): Returning info for user [xx] (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [xx] from [<ALL>] (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [xx@XX] (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam_callback] (6): Returning info for user [xx] (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [xx] from [<ALL>] (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [xx@XX] (Mon Aug 2 17:22:12 2010) [sssd[nss]] [nss_cmd_getpwnam_callback] (6): Returning info for user [xx] (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [cleanup_users_send] (9): Cache expiration is set to 0 days (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [sysdb_search_users_check_handle] (6): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1280762532)(!(lastLogin=*)))) (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [sysdb_search_groups_check_handle] (6): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1280762532))) (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Mon Aug 2 17:22:12 2010) [sssd[be[XX]]] [ldap_id_cleanup_set_timer] (6): Scheduling next cleanup at 1280773332.415082
Pam looks like this, # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
/Patrik
On 08/02/2010 04:44 PM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/02/2010 10:38 AM, Patrik Martinsson wrote:
If i change, auth_provider to ldap instead of krb5 and add, ldap_default_bind_dn = cn=xx,ou=People,dc=xx,dc=xx,dc=xx ldap_default_authtok_type = password ldap_default_authtok = xx
Then i got the expected result. It's only when i change sssd to use krb authentication it fails.
Try leaving the ldap_default_* options alone and just changing auth_provider = krb5 krb5_kdcip =<IP or FQDN>
The options you have set above have nothing to do with authentication. They're used to set the bind type that SSSD itself users to query the LDAP server for the list of acceptable usernames. It's not used for authenticating the users themselves.
So when you removed those lines to set up Kerberos, you made it so that the SSSD cannot look up usernames, and thus would not be able to perform an authentication against Kerberos.
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxW2bgACgkQeiVVYja6o6OQiQCfWbr2HRfpYMCOY/NKt6/nlcTI l8sAoKCUKQfC69JAMkRBUX8nT8xVE2ss =ryB5 -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/02/2010 11:26 AM, Patrik Martinsson wrote:
Ok, thanks again for the patience.
I've realized that I misunderstood that part about the authentication and the binding against ldap, thanks very much for the explanation.
Now it works correctly with the lookup of the users, however i cant get it to work with pam, i havent digged that deep yet, but here's what i did.
Added the pam_sss.so to /etc/pam/system-auth accourding to your website and tried to log in and realized it didn't work. It's definitely contacting sssd and sssd is trying to look up the user but fails for some reason, I tried with both auth_providers (krb/ldap) and both yield the same results, here's the log, maybe you have some suggestions to that too ?
As i said earlier, a regular kinit username works so the kerberos config should be ok.
If i run, sssd --debug-to-files with auth_provider krb5 the krb5_child.log is empty.
Here's how it looks when i use the -d10 and sshing to the machine with auth_provide krb5.
You probably don't have SSH set up to use PAM for authentication. Just to try something before we go down that path, can you try logging in on a local console?
The log file you attached in your email doesn't show any attempt to perform an authentication. It would have been MUCH more verbose.
As far as setting up SSH, look in your /etc/ssh/sshd_config file for the 'use_pam' option. There are comments in the default config file that explains how to set this up properly (it's not the default, I don't think)
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
Ah, thanks. Sometimes it goes a little bit fast. Yes that part (local console) works, and yes, alot more output is being printed.
Question though, it takes around 30 secs before i get "validated", is this normal ? sssd is printing alot of '[sdap_fill_memberships] (7): member #726 xx'
before it finally seems to stop and validate me.
Ehm, sorry about all these questions but i cant seem to find that much about sssd on Google, i guess it's because kinda new.
/Patrik
On 08/02/2010 05:32 PM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/02/2010 11:26 AM, Patrik Martinsson wrote:
Ok, thanks again for the patience.
I've realized that I misunderstood that part about the authentication and the binding against ldap, thanks very much for the explanation.
Now it works correctly with the lookup of the users, however i cant get it to work with pam, i havent digged that deep yet, but here's what i did.
Added the pam_sss.so to /etc/pam/system-auth accourding to your website and tried to log in and realized it didn't work. It's definitely contacting sssd and sssd is trying to look up the user but fails for some reason, I tried with both auth_providers (krb/ldap) and both yield the same results, here's the log, maybe you have some suggestions to that too ?
As i said earlier, a regular kinit username works so the kerberos config should be ok.
If i run, sssd --debug-to-files with auth_provider krb5 the krb5_child.log is empty.
Here's how it looks when i use the -d10 and sshing to the machine with auth_provide krb5.
You probably don't have SSH set up to use PAM for authentication. Just to try something before we go down that path, can you try logging in on a local console?
The log file you attached in your email doesn't show any attempt to perform an authentication. It would have been MUCH more verbose.
As far as setting up SSH, look in your /etc/ssh/sshd_config file for the 'use_pam' option. There are comments in the default config file that explains how to set this up properly (it's not the default, I don't think)
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxW5RMACgkQeiVVYja6o6MLigCeOc7+motfBXih1XKJnCC3qGW5 lEIAn2xRG7nP65lOwQzqXgLnPAOth9eo =7MGu -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/02/2010 11:40 AM, Patrik Martinsson wrote:ugh, it takes around 30 secs before i get "validated", is
this normal ? sssd is printing alot of '[sdap_fill_memberships] (7): member #726 xx'
before it finally seems to stop and validate me.
I'm actually working on fixing this right this minute, actually. We were over-ambitious with how we were pre-loading groups during login, and it causes some issues for users who are members of groups with large numbers of users. This should be fixed in SSSD 1.2.2 and 1.3.0.
Ehm, sorry about all these questions but i cant seem to find that much about sssd on Google, i guess it's because kinda new.
Not a problem. Thanks for using SSSD :)
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
sssd-devel@lists.fedorahosted.org