Turns out, I'm still getting the same problem. It works right away after I force clean the sssd cache: systemctl stop sssd ; rm -f /var/lib/sss/db/* /var/log/sssd/* ; systemctl start sssd
After some time, trying to log back on the same system I see the login prompt is much quicker when I type adu...@ad.com Instead of getting a simple "Password:" prompt I get adu...@ad.com@ centos.domain.ad.com's password. If I login as root and stop/start and clean the sssd cache, it start working again. /var/log/messages is filled with: centos sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/ad....@ipa.ad.com not found in Kerberos database) Any thoughts ? Thanks, Alex On Tue, Aug 1, 2017 at 2:58 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Mon, Jul 31, 2017 at 05:47:11PM -0400, Alexandre Pitre wrote: > > Bull-eye Jakub, that did the trick. I should have posted for help on the > > mailing list sooner. Thanks you so much, you are saving my ass. > > > > It makes sense to increase the krb5_auth_timeout as my AD domain > > controllers servers are worldwide. Currently they exist in 3 regions: > North > > America, Europe and Asia. > > > > The weird thing is it seems that when a linux host try to authenticate > > against my AD, it just randomly select an AD DC from the _kerberos SRV > > records. Normally, on the windows side, if "sites and services" are setup > > correctly with subnet defined and binded to sites, a windows client > > shouldn't try to authenticate against an AD DC that isn't local to his > > site. This mechanism doesn't seem to apply to my linux hosts. Is it > > because it's only available for windows hosts ? Is there another way to > > force linux clients to authenticate against AD DC local to their site ? > > We haven't implemented the site selection for the clients yet, only for > servers, see: > https://bugzilla.redhat.com/show_bug.cgi?id=1416528 > > > > > For now, I set the krb5_auth_timeout to 120 seconds. I had to completely > > stop sssd and start it again. A colleague mentioned that sssd has a known > > issue with restart apparently. > > I'm not aware of any such issue.. > > > > > Also, I'm curious about ports requirements. Going from linux hosts to > AD, I > > only authorize 88 TCP/UDP. I believe that's all I need. > > Yes, from the clients, that should be enough. The servers need more > ports open: > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/installing-ipa.html#prereq-ports > -- Alexandre Pitre alexandre.pi...@gmail.com
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org