-----Original Message----- From: Alexander Bokovoy <aboko...@redhat.com<mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer <dfisc...@petsmart.com<mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com <freeipa-users@redhat.com<mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>> Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Fri, 17 Jun 2016 05:02:59 -0700
On Thu, 16 Jun 2016, David Fischer wrote: Alexander, Ok I figured most of my issues were ldap search time out and also ldap_idmap_range_size was to small. Good. So I am left with one last problem is that any new users can login via password but existing users passwords do not work but kerberos tickets do. So is there another setting I am missing. getent and id -a both work fine and there are no HBAC. Any thought would be helpfull. New users where? In Active Directory or in IPA? In case of authentication checks you need to look at the SSSD domain log together with the pam log and krb5_child log. Sorry, Yes all accounts will live in AD. So any users that I have created in AD after Trust is create I am able to login as, any accounts be fore give password failure. Thanks -----Original Message----- From: Alexander Bokovoy <aboko...@redhat.com<mailto:aboko...@redhat.com><mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer <dfisc...@petsmart.com<mailto:dfisc...@petsmart.com><mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> <freeipa-users@redhat.com<mailto:freeipa-users@redhat.com><mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com<mailto:%22%20%3cfreeipa-us...@redhat.com>%3e>> Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Tue, 14 Jun 2016 23:52:36 -0700 On Tue, 14 Jun 2016, David Fischer wrote: Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsDSsbiAmg&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f That article is what Jakub and I wrote. Jakub may have more suggestions and there are some improvements in recent SSSD releases in RHEL 7.2.4. ________________________________ ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### -- Manage your subscription for the Freeipa-users mailing list: http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsXftLjezA&u=https%3a%2f%2fwww%2eredhat%2ecom%2fmailman%2flistinfo%2ffreeipa-users Go to http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OpOBsbSAyQ&u=http%3a%2f%2ffreeipa%2eorg for more info on the project ________________________________ ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project