#2202 sssd_be should hint about increasing the krb5_auth_timeout if krb5 auth times out
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1054899

Created attachment 851732
domain log for non-primary(user1_dom3) user login

Description of problem:
sssd goes offline on login for users from subdomains

Version-Release number of selected component (if applicable):
1.11.2-27.el7

How reproducible:
Always

Steps to Reproduce:
1. Try to login as a user from the primary domain
# time ssh -l user1_dom1@sssdad.com localhost
user1_dom1@sssdad.com@localhost's password:
[user1_dom1@sssdad.com@amd-pike-05 ~]$ logout
Connection to localhost closed.

real    0m16.057s

2. Try to login as a user from a child domain
# time ssh -l user1_dom3@child1.sssdad.com localhost
user1_dom3@child1.sssdad.com@localhost's password:
Permission denied, please try again.
user1_dom3@child1.sssdad.com@localhost's password:


real    0m28.623s
user    0m0.020s
sys     0m0.012s


Actual results:
sssd goes offline with login to users from non-primary domains

See attached domain logs for login to a primary user(user1_dom1) and
non-primary user(user1_dom3)

See the discussion in the BZ. What Kaushik wanted was to amend the DEBUG message to hint that raising the timeout might be a good idea. I'm not sure about sss_log, that seems like too much, but maybe using some higher log level (IIRC we have something like IMPORTANT_INFO) would work.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => preichl
review: True => 0
selected: =>
testsupdated: => 0

I'll leave the ticket open so it's properly triaged

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.4

resolution: => fixed
status: new => closed

Fields changed

changelog: => See the description and title. Minor enhancement that hints what parameter should the admin increase when Kerberos authentication keeps timing out.

Metadata Update from @jhrozek:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.11.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3244

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata