On Mon, 13 Jun 2016, David Fischer wrote:
(Note: versions below)
All,
I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and
found that it was timing out during ldap scan. I upped the timeout on the 'IPA
Configuration' tab in the web interface and this solved the 'getent' issue.
Now I am able to do 'getent' passwd on all users in a sub-ad domain
My new problem is that I am now unable to use password to login. If I grab a
kerberos ticket I am able to just ssh into any IPA unix system, but fails when
trying to do a password lookup.
the layout of systems are as follows:
1) forest domain with no users or groups
2) child domain with all users and groups.
3) IPA Realm/Domain trusted to forest domain
All users are in a sub-OU below the top of the domain in a OU called Users.
There are about 11K users in this OU. but lookups seam really slow.
I have added to sssd.conf the following
1) lookup_family_order = ipv4_only
2) ignore_group_members=True
3) ldap_purge_cache_timeout=0
4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
5) debug_level=9
Could anyone help direct me to a place to start looking for why lookups are
slow and passwords are not being allowed?
Start with https://fedorahosted.org/sssd/wiki/Troubleshooting
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
