#2202 sssd_be should hint about increasing the krb5_auth_timeout if krb5 auth times out
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1054899

Created attachment 851732
domain log for non-primary(user1_dom3) user login

Description of problem:
sssd goes offline on login for users from subdomains

Version-Release number of selected component (if applicable):
1.11.2-27.el7

How reproducible:
Always

Steps to Reproduce:
1. Try to login as a user from the primary domain
# time ssh -l user1_dom1@sssdad.com localhost
user1_dom1@sssdad.com@localhost's password:
[user1_dom1@sssdad.com@amd-pike-05 ~]$ logout
Connection to localhost closed.

real    0m16.057s

2. Try to login as a user from a child domain
# time ssh -l user1_dom3@child1.sssdad.com localhost
user1_dom3@child1.sssdad.com@localhost's password:
Permission denied, please try again.
user1_dom3@child1.sssdad.com@localhost's password:


real    0m28.623s
user    0m0.020s
sys     0m0.012s


Actual results:
sssd goes offline with login to users from non-primary domains

See attached domain logs for login to a primary user(user1_dom1) and
non-primary user(user1_dom3)

See the discussion in the BZ. What Kaushik wanted was to amend the DEBUG message to hint that raising the timeout might be a good idea. I'm not sure about sss_log, that seems like too much, but maybe using some higher log level (IIRC we have something like IMPORTANT_INFO) would work.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => preichl
review: True => 0
selected: =>
testsupdated: => 0

I'll leave the ticket open so it's properly triaged

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.4

resolution: => fixed
status: new => closed

Fields changed

changelog: => See the description and title. Minor enhancement that hints what parameter should the admin increase when Kerberos authentication keeps timing out.

Metadata Update from @jhrozek:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.11.4

2 years ago

Login to comment on this ticket.

Metadata