>----- Oorspronkelijk bericht ----- >Van: "Dmitri Pal" <[email protected]> >Aan: "Bobby Prins" <[email protected]> >Cc: "Alexander Bokovoy" <[email protected]>, [email protected] >Verzonden: Dinsdag 24 maart 2015 16:08:07 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On 03/24/2015 10:18 AM, Bobby Prins wrote: >>> ----- Oorspronkelijk bericht ----- >>> Van: "Dmitri Pal" <[email protected]> >>> Aan: "Bobby Prins" <[email protected]>, "Alexander Bokovoy" >>> <[email protected]> >>> Cc: [email protected] >>> Verzonden: Dinsdag 24 maart 2015 14:44:42 >>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >>> ipa_server_mode >>> >>> On 03/24/2015 09:01 AM, Bobby Prins wrote: >>>>> ----- Oorspronkelijk bericht ----- >>>>> Van: "Alexander Bokovoy" <[email protected]> >>>>> Aan: "Bobby Prins" <[email protected]> >>>>> Cc: [email protected], [email protected] >>>>> Verzonden: Maandag 23 maart 2015 16:44:47 >>>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >>>>> ipa_server_mode >>>>> >>>>> ... >>>>> >>>>> Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access >>>>> and sssd logs from IPA master (with debug_level = 10) at least in >>>>> [domain], [nss], and [pam] sections. >>>>> >>>>> You need to filter dirsrv logs by connection coming from AIX IP address >>>>> and then by conn=<number> where number is the same number as the one >>>>> with IP address line. >>>>> >>>>> When authenticating, AIX would talk to IPA LDAP server to compat tree >>>>> and slapi-nis plugin which serves compat tree would do PAM >>>>> authentication as service system-auth where SSSD on IPA master will do >>>>> the actual authentication work. >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>> Here you can see the DS connection from AIX: >>>> [24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from >>>> 192.168.140.107 to 192.168.140.133 >>>> [24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND >>>> dn="[email protected],cn=users,cn=compat,dc=unix,dc=example,dc=corp" >>>> method=128 version=3 >>>> [24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 >>>> etime=24 >>>> dn="[email protected],cn=users,cn=compat,dc=unix,dc=example,dc=corp" >>>> [24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1 >>>> >>>> As you can see it also takes quite some time to process the login. Could >>>> that be a problem? >>>> >>>> The SSSD log files are a bit large with debug_level set to 10 and it will >>>> take me some time to strip all customer data from it. Any log events in >>>> particular you would like to see? >>> Does the user that you use ([email protected]) is a member of many >>> large groups? >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >> 53 groups in total ranging from groups with only a couple of users to groups >> with multiple hundreds of users. >And probably nesting is involved too, right? > >-- >Thank you, >Dmitri Pal > >Sr. Engineering Manager IdM portfolio >Red Hat, Inc.
Yes, that is correct, but the 53 groups is including nested memberships. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
