Hello all, So, for anyone following this thread, I've been able to make some progress but not enough to consider the configuration production ready.
After watching sssd logs ([domain] debug_level = 10, [sssd] debug_level = 10, and [nss] debug_level = 10) on both the client and server, I am able to reduce by ~50% the time required and failures of user look-ups via `getent passwd` and `id` by configuring the [nss] option 'entry_negative_timeout = 1'. No matter what other options are configured on the client via sssd, the first look-up always fails. The server logs do not indicate that the client checked the server's sssd cache on the first look-up. Only after a negative entry has been introduced and then purged will a "true" client look-up receive a result. I cannot understand why this does not happen on the IPA servers with a default sssd configuration, but happens continually on a client's generated sssd configuration via the IPA installer. Even after removing the additional trusted domains and their ID ranges, the behaviour remains. In order to rule out the hardware on the client and an older sssd version (1.15.2), I installed on new hardware and with the latest sssd version offered via our satellite server (1.16.2), and the behavior was the same. Why is the first user lookup-up on the native IPA client failing to retrieve the entry that is properly cached on the IPA server? Thanks, John DeSantis Il giorno mer 24 apr 2019 alle ore 08:42 John Desantis <desan...@mail.usf.edu> ha scritto: > > Hello all, > > Doh! I realized that I hadn't actually attached the logs; so much > for trouble-shooting! > > Thanks, > John DeSantis > > Il giorno lun 22 apr 2019 alle ore 13:07 John Desantis > <desan...@mail.usf.edu> ha scritto: > > > > Hello all, > > > > I've pretty much exhausted my searching in order to find a solution to > > a problem I've been working on for about a week now, and now I find > > myself grasping at straws. > > > > Basically, AD trust user lookups on IPA clients fail several times in > > a row before finally returning results (after 8-20 seconds). However, > > this does not happen on the IPA servers - even after clearing caches. > > Furthermore, querying the same list of users against a non IPA Linux > > client that connects directly to our AD domain using nslcd has no > > issues querying the same list of users. > > > > From what I understand regarding the anatomy of the FreeIPA - AD Trust > > relationship, the FreeIPA servers' sssd caches are queried first by > > FreeIPA clients and if there is no result, then the FreeIPA server > > queries the AD domain controllers, receives results, caches them, and > > then provides the results to the FreeIPA client. > > > > I've tried adjusting the sssd.conf file on both the server and the > > client, without any expected results: > > > > ignore_group_members = True > > ldap_purge_cache_timeout = (various values) > > memcache_timeout = (various values) > > cache_first = (various values) > > ldap_opt_timeout = (various values) > > ldap_search_timeout = (various values) > > > > The trust was established using the range type of "ipa-ad-trust-posix" > > since each user has a unique Posix UID and a shared unique Posix GID > > (no AD groups are returned). > > > > I've attached logs (dirsrv and sssd) from the IPA server I directly > > specified via the client sssd.conf and logs from the client itself. > > > > Any pointers and/or suggestions would be extremely helpful! > > > > Thank you, > > John DeSantis _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
