On Thu, Oct 17, 2019 at 04:23:11PM -0400, Abhisheyk Deb wrote:
> Hi.
>
> We have the following setup, CentOS machines which are running 7.3 version
> and we want them to use active directory users for SSH Logins.
>
> The domain ad.example.com which we want to use, has two domain controllers
> with IP addresses of 10.1.2.1 and 10.1.2.2, and both have DNS Servers
> installed on them.
>
> We have the following in the /etc/resolv.conf
>
> search ad.example.com
> nameserver 10.1.2.1
> nameserver 10.1.2.2
>
> We were able to do a join by using the following command:
> realm join ad.example.com
>
> The computer objects are getting created in both domain controllers.
>
> The SSH Logins for the active directory users are also working without any
> issues.
>
> The /etc/sssd/sssd.conf file is as follows:
> [sssd]
> domains = ad.example.com
> config_file_version = 2
> services = nss, pam
>
> [pam]
> offline_credentials_expiration = 1
>
> [domain/ad.example.com]
> ad_domain = ad.example.com
> krb5_realm = ad.example.com
> realmd_tags = manages-system joined-with-samba
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = False
> access_provider = ad
> override_homedir = /user/%u
> account_cache_expiration = 1
> entry_cache_timeout = 180
>
> But when we put the first domain controller down (10.1.2.1) which is the
> first nameserver in /etc/resolv.conf. SSSD is not trying the second domain
> controller (10.1.2.2) at all because when we login, we see the following
> message
>
> "Authenticated with cached credentials, your cached password will expire
> at: Fri Oct 18 19:47:42 2019."
>
> And we are able to ping 10.1.2.2 and the command
> nslookup ad.example.com also gives the following output
>
> Server: 10.1.2.2
> Address: 10.1.2.2#53
>
> Name: ad.example.com
> Address: 10.1.2.1
> Name: ad.example.com
> Address: 10.1.2.2
>
> And we have not added any option for ad_server or ad_backup_server in our
> sssd.conf file which I am assuming means that autodiscovery is turned on by
> default.
>
> So should the /etc/resolv.conf only have one nameserver entry, and SSSD
> only reads that, which means the main domain controller needs to running
> always.
>
> What I mainly want to know is that even if one of the Domain Controllers
> are down and SSSD was using it as the primary domain controller for
> authentication requests, can it not fallback to using some other domain
> controllers in the AD Domain.
>
> How can tweak my sssd.conf file for the use case that I want.
Hi,
there are various timeouts involved here and in your version of SSSD they
might not be well aligned.
What oyu can try as a first step is to lower the timeout in
/etc/resolv.conf to e.g. 2s with
options timeout:2
(I hope SSSD's resolve will pick this value as well). The default here
is 5s and many of the LDAP related timeouts SSSD is using are 6s. So it
might be that waiting for a DNS reply just takes too long so the SSSD
already switches to the offline mode before the second server can be
tried.
For a discussion about the involved SSSD timeouts see
https://github.com/SSSD/sssd/pull/636. Please note that not all options
might be available in sour version of SSSD.
bye,
Sumit
>
> If somebody can give me some advice on this, it would be really helpful,
>
> Thank you
> Abhishek Deb
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
