#3705 SSSD denies SSH login for cached users if AD is down

Created a month ago by automatedzombies
Modified a month ago

Hello everyone,

I already said about this issue over IRC so maybe you remember it....
The problem can be described as in the following example.

  1. SSSD configured with AD for everything, server joined with realmd or adcli to AD.
  2. SSSD & Active Directory are both available/working.
  3. A user logins over SSH, does something for N minutes and logouts of the server.
    - the user entry is cached in memory + LDB
  4. Next minute Active Directory goes down and is unavailable.
    (simulated with iptables or actual downtime of AD)
    - SSSD detects it and goes into Offline Mode -> serving cached entries.
  5. User tries to login again into the system over SSH
    - SSSD sees the user, it finds the cached entry but something happens to the pam responder from SSSD and it denies the login for the cached user.
  6. This is affecting Oracle Linux 6 & 7 and Red Hat Linux 6 & 7.
    • this seems to be present in SSSD version 1.13.3 for OL/REL 6
    • this seems to be present in SSSD version 1.15.2 for OL/REL 7

Let me know if you need more info.

Thanks!

Attachments
sssd_logs.tgz - 2018-04-13 07:50:17 Comment Download
sssd_testad.local.log - 2018-04-16 12:38:20 Comment Download

As asked on IRC, we'd need all possible logs preferably with debug_level = 10.
Would be possible to attach them here?

Sure, I'll collect logs, sanitize them and attached them here.

/etc/sssd/sssd.conf would be useful for a start as well.

I've collected the logs and created an archive.
I've also tested a reboot with AD down and the behavior is the same + extra stuff like the sssd_pam and sssd_nss getting constantly segfault and core dumps.

You can see all of this stuff in the logs.
sssd_logs.tgz

The constant killing looks like ..

N 1 user@localhost.it.in Fri Apr 13 08:50 729/49393 "[abrt] sssd-common: sssd_nss killed by SIGABRT"
N 2 user@localhost.it.in Fri Apr 13 09:47 711/48382 "[abrt] sssd-common: sssd_pam killed by SIGSEGV"

The config is the following:

[sssd]
debug_level = 9
config_file_version = 2
reconnection_retries = 0
sbus_timeout = 10
services = nss, pam, sudo
domains = testad.local

[nss]
debug_level = 9
reconnection_retries = 0
override_homedir = /appl/home/%u
override_shell = /bin/bash
enum_cache_timeout = 7200
cache_first = true
entry_cache_nowait_percentage = 80
entry_negative_timeout = 60
memcache_timeout = 86400

[pam]
debug_level = 9
pam_id_timeout = 86400
cache_first = true
reconnection_retries = 0
offline_credentials_expiration = 0
offline_failed_login_attempts = 0
offline_failed_login_delay = 0

[sudo]
debug_level = 9
cache_first = true
reconnection_retries = 0

[domain/testad.local]
selinux_provider = none
reconnection_retries = 0
debug_level = 9
entry_cache_timeout = 86400
entry_cache_user_timeout = 86400
entry_cache_group_timeout = 86400
entry_cache_netgroup_timeout = 86400
entry_cache_service_timeout = 86400
entry_cache_sudo_timeout = 86400
entry_cache_autofs_timeout = 86400
entry_cache_ssh_host_timeout = 86400
refresh_expired_interval = 64800
cache_credentials = true
account_cache_expiration = 0
pwd_expiration_warning = 5
ad_domain = testad.local
krb5_realm = TESTAD.LOCAL
krb5_auth_timeout = 2
realmd_tags = manages-system joined-with-adcli
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
krb5_store_password_if_offline = true
ldap_id_mapping = false
use_fully_qualified_names = False
krb5_realm = TESTAD.LOCAL
krb5_store_password_if_offline = true
dyndns_update = False
dns_resolver_timeout = 1
ldap_opt_timeout = 2
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
ldap_sudo_search_base = OU=sudo,OU=ACL,OU=APUX,OU=Services,DC=testad,DC=local
ad_access_filter = DOM:testad.local:(memberOf:1.2.840.113556.1.4.1941:=CN=ACL_Host_avl2930t,OU=ACLHosts,OU=APUX,OU=TestImportT,OU=ACLTest,dc=testad,dc=local)
Edited a month ago by automatedzombies

I've opened a SR request with ORACLE but they are not very helpful for now...
And if you guys need, I can open one with RedHat also.

The KRB5 config is the following:

includedir /var/lib/sss/pubconf/
[logging]
default = FILE=/var/log/krb5libs.log
kdc = FILE=/var/log/krb5kdc.log
admin_server = FILE=/var/log/kadmind.log

[libdefaults]
  default_realm = TESTAD.LOCAL
  ticket_lifetime = 2d
  renew_lifetime = 7d
  forwardable = true
  kdc_timesync = 1
  dns_lookup_kdc = false
  dns_lookup_realm = false
  rdns = false
  udp_preference_limit = 1

[realms]
TESTAD.LOCAL = {
  kdc = avw3606t.it.internal
  kdc = avw3607t.it.internal
  default_domain = testad.local
}

[domain_realm]
.testad.local = TESTAD.LOCAL
testad.local = TESTAD.LOCAL

The samba conf is the following:

[global]
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   log level = all
   password server = avw3606t.it.internal avw3607t.it.internal
   security = ads
   realm = TESTAD.LOCAL
   WORKGROUP = TESTAD

The downtime is simulated using the following iptables rules.

I've also tried blocking it from the AD side and you get the same effect/behavior.

-A OUTPUT -d 1.2.3.4 -o eth0 -j DROP
-A OUTPUT -d 1.2.3.5 -o eth0 -j DROP
-A OUTPUT -s 1.2.3.4 -o eth0 -j DROP
-A OUTPUT -s 1.2.3.5 -o eth0 -j DROP
-A OUTPUT -d 1.2.3.4 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 1.2.3.5 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -s 1.2.3.4 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -s 1.2.3.5 -o eth0 -j REJECT --reject-with icmp-port-unreachable
Edited a month ago by automatedzombies

If there are crashes, do you have core dumps or backtraces as well?

Is there a reason why you set 'reconnection_retries = 0'. I can see errors during authentication attempts because the frontend was not able to connect to the backend.

bye,
Sumit

The idea is to have SSSD with lower timeouts and a strict policy to avoid
locking the system if AD is down.
So that was set in hope of not having the user login "slow" when AD is down
and SSSD tries to search for it, wait for timeouts, retry etc... end step
-> permit user if cached

I attached the root file which has a backtrace in it from what I can see.

On Fri, Apr 13, 2018 at 11:36 AM, Sumit Bose pagure@pagure.io wrote:

sbose added a new comment to an issue you are following:
``
If there are crashes, do you have core dumps or backtraces as well?

Is there a reason why you set 'reconnection_retries = 0'. I can see errors
during authentication attempts because the frontend was not able to connect
to the backend.

bye,
Sumit
``

To reply, visit the link below or just reply to this email
https://pagure.io/SSSD/sssd/issue/3705

The reconnection_retries controls the internal connections between the different components of SSSD not the connections to external services. I would recommend to remove all reconnection_retries from sssd.conf and restart SSSD to see if SSSD handles offline logins better.

I did it and it's behaving in the same manner.

@sbose It seems that I was wrong, removing the reconnection_retries is making SSSD behave better...the issue seems to be coming from the fact that SSSD seems to think that the AD backend is online again after 2-4 minutes for some reason.

When it goes "online" again and a user tries to login over SSH and fails because SSSD sees after a couple of minutes that the DP is actually offline and puts everything in offline again but the user is waiting for ever in the password prompt.

I don't know why is SSSD going constantly into this DOWN -> UP -> DOWN -> UP loop for the AD DP but this seems to be causing these problems...

(Fri Apr 13 14:44:13 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:44:13 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:44:13 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:44:14 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:45:40 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:45:41 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:45:41 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:45:41 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:45:41 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:46:18 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:46:18 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:46:18 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:46:18 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:46:46 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:47:21 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:47:22 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:47:22 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:47:22 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:47:22 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:47:22 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:47:22 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:47:23 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:47:23 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:47:49 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:47:49 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:47:49 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:47:49 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:17 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:48:33 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:33 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:33 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:33 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:34 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:34 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:34 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:34 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:48:50 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:48:51 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:48:51 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:48:52 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:48:52 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:49:20 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:20 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:20 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:20 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:42 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:42 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:42 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:42 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:43 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:43 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:43 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:43 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:49:48 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:50:47 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:50:48 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:50:49 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:50:49 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:50:49 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:51:21 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:51:21 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:51:21 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:51:21 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:51:49 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:52:33 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:52:34 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:52:35 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:52:35 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:52:35 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:53:02 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:53:02 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:53:02 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:53:02 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:53:30 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:54:21 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:54:23 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:54:23 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:54:23 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:54:23 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:54:53 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:54:53 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:54:53 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:54:53 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:55:21 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:56:02 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:56:04 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:56:04 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:56:04 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:56:04 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:56:34 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:56:34 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:56:34 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:56:34 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:57:02 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:57:46 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline
(Fri Apr 13 14:57:48 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:57:48 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:57:48 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:57:48 2018) [sssd[be[testad.local]]] [be_ptask_online_cb] (0x0400): Back end is online
(Fri Apr 13 14:58:15 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:58:15 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:58:15 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:58:15 2018) [sssd[be[testad.local]]] [be_ptask_offline_cb] (0x0400): Back end is offline
(Fri Apr 13 14:58:43 2018) [sssd[be[testad.local]]] [be_ptask_execute] (0x0400): Back end is offline

SSSD tries regularly to switch to the online mode and trying to reconnect to the servers, otherwise SSSD won't be able to determine if the system is online again. The interval can be controlled with the offline_timeout option (see man sssd.conf for details).

Please attache at least the full sssd_domain.log again so that we can determine where the time is spend during the reconnection attempts before SSSD switches to the offline-mode again.

@sbose Thank you for the explanation! Now I understand better those options.
There still is "hangup" when the user tries to login over SSH with AD down but everything behaves much better...

Please provide some feedback if/when you can.
You can find the AD log attached...

Thanks!

sssd_testad.local.log

The following is the new configuration used at the moment
What is not clear to me is why does SSSD tries to lookup the cached user with the AD DP when offline_timeout is set to 900 + cache_first is set True.

Shouldn't it serve it from cache and not do any lookup? For me this seems like a slowdown for the user login...

[sssd]
debug_level = 9
config_file_version = 2
sbus_timeout = 10
services = nss, pam, sudo
domains = testad.local

[nss]
debug_level = 9
override_homedir = /appl/home/%u
override_shell = /bin/bash
enum_cache_timeout = 7200
cache_first = true
entry_cache_nowait_percentage = 80
entry_negative_timeout = 60
memcache_timeout = 86400

[pam]
debug_level = 9
pam_id_timeout = 86400
cache_first = true
offline_credentials_expiration = 0
offline_failed_login_attempts = 0
offline_failed_login_delay = 0

[sudo]
debug_level = 9
cache_first = true

[domain/testad.local]
min_id = 40000
max_id = 49999
offline_timeout = 900
selinux_provider = none
debug_level = 9
entry_cache_timeout = 86400
entry_cache_user_timeout = 86400
entry_cache_group_timeout = 86400
entry_cache_netgroup_timeout = 86400
entry_cache_service_timeout = 86400
entry_cache_sudo_timeout = 86400
entry_cache_autofs_timeout = 86400
entry_cache_ssh_host_timeout = 86400
refresh_expired_interval = 64800
cache_credentials = true
account_cache_expiration = 0
pwd_expiration_warning = 5
ad_domain = testad.local
krb5_realm = TESTAD.LOCAL
krb5_auth_timeout = 2
realmd_tags = manages-system joined-with-adcli
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
krb5_store_password_if_offline = true
ldap_id_mapping = false
use_fully_qualified_names = False
krb5_realm = TESTAD.LOCAL
krb5_store_password_if_offline = true
dyndns_update = False
dns_resolver_timeout = 1
ldap_opt_timeout = 2
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
ldap_sudo_search_base = OU=sudo,OU=ACL,OU=APUX,OU=Services,OU=BlaBla,DC=testad,DC=local
ad_access_filter = DOM:testad.local:(memberOf:1.2.840.113556.1.4.1941:=CN=ACL_Host_avl2930t,OU=ACLHosts,OU=APUX,OU=TestImportT,OU=ACLTest,dc=testad,dc=local)

Login to comment on this ticket.

cancel