Thank you Alexander, that was the root cause. I added optimizations to my setup that you together with Jakub described in this article: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ and things started working on the client side.
There is a one small glitch though. Upon a first getent passwd for a new user (one that I didn't issue getent before) executed on a client it most likely still times out. I can see that there is some communication on FreeIPA servers going on (judging by the log file /var/log/sssd/sssd_ipa.domain.log). getent command times out but entries in the log file keep on being added. When the log entries stop from being added anymore and I issue the same getent command then it succeeds. Could you please point me to the timeout parameter that would allow to fix this, if there is any? For a reference I paste my client/server sssd configs: server: [domain/ipa.domain] debug_level = 9 id_provider = ipa ipa_server_mode = True ipa_server = ipa-server.ipa.domain ipa_domain = ipa.domain ipa_hostname = ipa-server.ipa.domain auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True enumerate = False subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0 [sssd] services = nss, pam, ifp, ssh, sudo ignore_group_members=True domains = ipa.domain enumerate = False ldap_use_tokengroups = false [nss] homedir_substring = /home memcache_timeout = 600 [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] ---- client: [domain/ipa.domain] enumerate = False debug_level=9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.domain id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-client-centos6.shec.hrs.cc chpass_provider = ipa ipa_server = ipa-server.ipa.domain ldap_tls_cacert = /etc/ipa/ca.crt krb5_auth_timeout = 3600 [sssd] services = nss, sudo, pam, ssh domains = ipa.domain [nss] homedir_substring = /home [pam] pam_id_timeout = 3600 [sudo] [autofs] [ssh] [pac] [ifp] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LJGAGZ4FAAKIFJD723NBFCKZNBADEBL4/