[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

Wed, 24 Apr 2019 05:43:24 -0700 

Hello all,

Doh!  I realized that I hadn't actually attached the logs;  so much
for trouble-shooting!

Thanks,
John DeSantis

Il giorno lun 22 apr 2019 alle ore 13:07 John Desantis
<desan...@mail.usf.edu> ha scritto:
>
> Hello all,
>
> I've pretty much exhausted my searching in order to find a solution to
> a problem I've been working on for about a week now, and now I find
> myself grasping at straws.
>
> Basically, AD trust user lookups on IPA clients fail several times in
> a row before finally returning results (after 8-20 seconds).  However,
> this does not happen on the IPA servers - even after clearing caches.
> Furthermore, querying the same list of users against a non IPA Linux
> client that connects directly to our AD domain using nslcd has no
> issues querying the same list of users.
>
> From what I understand regarding the anatomy of the FreeIPA - AD Trust
> relationship, the FreeIPA servers' sssd caches are queried first by
> FreeIPA clients and if there is no result, then the FreeIPA server
> queries the AD domain controllers, receives results, caches them, and
> then provides the results to the FreeIPA client.
>
> I've tried adjusting the sssd.conf file on both the server and the
> client, without any expected results:
>
> ignore_group_members = True
> ldap_purge_cache_timeout = (various values)
> memcache_timeout = (various values)
> cache_first = (various values)
> ldap_opt_timeout = (various values)
> ldap_search_timeout = (various values)
>
> The trust was established using the range type of "ipa-ad-trust-posix"
> since each user has a unique Posix UID and a shared unique Posix GID
> (no AD groups are returned).
>
> I've attached logs (dirsrv and sssd) from the IPA server I directly
> specified via the client sssd.conf and logs from the client itself.
>
> Any pointers and/or suggestions would be extremely helpful!
>
> Thank you,
> John DeSantis

Attachment: ipa_logs.tar.xz
Description: application/xz

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to