Hello all, Doh! I realized that I hadn't actually attached the logs; so much for trouble-shooting!
Thanks, John DeSantis Il giorno lun 22 apr 2019 alle ore 13:07 John Desantis <desan...@mail.usf.edu> ha scritto: > > Hello all, > > I've pretty much exhausted my searching in order to find a solution to > a problem I've been working on for about a week now, and now I find > myself grasping at straws. > > Basically, AD trust user lookups on IPA clients fail several times in > a row before finally returning results (after 8-20 seconds). However, > this does not happen on the IPA servers - even after clearing caches. > Furthermore, querying the same list of users against a non IPA Linux > client that connects directly to our AD domain using nslcd has no > issues querying the same list of users. > > From what I understand regarding the anatomy of the FreeIPA - AD Trust > relationship, the FreeIPA servers' sssd caches are queried first by > FreeIPA clients and if there is no result, then the FreeIPA server > queries the AD domain controllers, receives results, caches them, and > then provides the results to the FreeIPA client. > > I've tried adjusting the sssd.conf file on both the server and the > client, without any expected results: > > ignore_group_members = True > ldap_purge_cache_timeout = (various values) > memcache_timeout = (various values) > cache_first = (various values) > ldap_opt_timeout = (various values) > ldap_search_timeout = (various values) > > The trust was established using the range type of "ipa-ad-trust-posix" > since each user has a unique Posix UID and a shared unique Posix GID > (no AD groups are returned). > > I've attached logs (dirsrv and sssd) from the IPA server I directly > specified via the client sssd.conf and logs from the client itself. > > Any pointers and/or suggestions would be extremely helpful! > > Thank you, > John DeSantis
ipa_logs.tar.xz
Description: application/xz
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org