freeipa

Clone
Source Code
GIT

#8041 id command takes minutes to return a result for external users
Closed: invalid 4 years ago by fcami. Opened 4 years ago by rgp.

Closed: invalid
Reopen Issue

Issue

When I attempt to run id someuser (AD user) on CentOS host enrolled to FreeIPA it can take anywhere from 3 minutes to 17 minutes to get a result. In the meantime the host seems to flood the master servers with LDAP queries. Removing sssd cache files rm -f /var/lib/sss/db/* and restarting sssd resolves the issue temporary. Running id again takes couple of seconds. The behaviour returns after a while, maybe 2 hours. I have not tried to time it more precisely. In the meantime the client has not been touched.

Running id for the same user in the freeipa masters works with little to no delay.

Details about the setup:

The FreeIPA domain running on 2 servers with a trust to AD domain. The AD domain is a decent size and has over 1000 users, over 1000 computers, and many groups. The servers are not any load, there is plenty of resource. There is no network connectivity issues.

Steps to Reproduce

  1. FreeIPA domain with trust to large AD domain
  2. Enroll client with ipa-client-install
  3. Wait couple of hours
  4. run id aduser

Actual behavior

Running id aduser takes many minutes to return a result

Expected behavior

Running id aduser return result almost instantly

Version/Release/Distribution

client:

# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# rpm -q ipa-client
ipa-client-4.6.4-10.el7.centos.3.x86_64

servers:

# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# rpm -q  ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.6.4-10.el7.centos.2.x86_64
ipa-client-4.6.4-10.el7.centos.2.x86_64
389-ds-base-1.3.8.4-22.el7_6.x86_64
pki-ca-10.5.9-6.el7.noarch
krb5-server-1.15.1-37.el7_6.x86_64

Additional info:

# time id aduser
uid=.......

real    3m21.593s
user    0m0.001s
sys     0m0.009s

Wait 30 minutes and run the command again:

# time id aduser
uid=.......

real    17m53.673s
user    0m0.006s
sys     0m0.014s

/var/log/sssd/sssd_intra.company.com.log

# sssctl debug-level 4

(Wed Aug 14 01:50:49 2019) [sssd[be[intra.company.com]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [collapse_srv_lookup] (0x0100): Need to refresh SRV lookup for domain intra.company.com
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.intra.company.com'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [get_server_status] (0x0100): Hostname resolution expired, resetting the server status of 'freeipa-02.intra.company.com'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'name not resolved'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'freeipa-02.intra.company.com' in files
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'resolving name'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'freeipa-02.intra.company.com' in files
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'freeipa-02.intra.company.com' in DNS
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'name resolved'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [child_sig_handler] (0x0100): child [23427] finished successfully.
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/c7client.intra.company.com
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-02.intra.company.com' as 'working'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'working'
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [ipa_sudo_fetch_addtl_cmdgroups_done] (0x0040): Received 2 additional command groups
(Wed Aug 14 01:50:55 2019) [sssd[be[intra.company.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 0 sudo rules
(Wed Aug 14 02:05:49 2019) [sssd[be[intra.company.com]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [collapse_srv_lookup] (0x0100): Need to refresh SRV lookup for domain intra.company.com
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.intra.company.com'
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved'
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'freeipa-01.intra.company.com' in files
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'resolving name'
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'freeipa-01.intra.company.com' in files
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'freeipa-01.intra.company.com' in DNS
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'name resolved'
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [child_sig_handler] (0x0100): child [23527] finished successfully.
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/c7client.intra.company.com
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-01.intra.company.com' as 'working'
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'working'
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [ipa_sudo_fetch_addtl_cmdgroups_done] (0x0040): Received 2 additional command groups
(Wed Aug 14 02:05:55 2019) [sssd[be[intra.company.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules
(Wed Aug 14 02:07:30 2019) [sssd[be[intra.company.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request

# host has been idle for a while, and I run a look for an AD user: id jsmith

(Wed Aug 14 02:07:36 2019) [sssd[be[intra.company.com]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'member': value #17 on 'name=jsmith@company.com,cn=users,cn=company.com,cn=sysdb' already exists]
(Wed Aug 14 02:07:36 2019) [sssd[be[intra.company.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [jsmith@company.com] to group [name=jsmith@company.com,cn=users,cn=company.com,cn=sysdb]. Skipping.
(Wed Aug 14 02:07:36 2019) [sssd[be[intra.company.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
(Wed Aug 14 02:07:36 2019) [sssd[be[intra.company.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [child_sig_handler] (0x0100): child [23531] finished successfully.
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/c7client.intra.company.com
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-02.intra.company.com' as 'working'
(Wed Aug 14 02:07:42 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'working'
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [child_sig_handler] (0x0100): child [23533] finished successfully.
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/c7client.intra.company.com
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'freeipa-02.intra.company.com' as 'working'
(Wed Aug 14 02:07:48 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'working'
(Wed Aug 14 02:07:52 2019) [sssd[be[intra.company.com]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait from ldb_modify with LDB_WAIT_ALL: No such object (32)]
(Wed Aug 14 02:07:52 2019) [sssd[be[intra.company.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [bbury@company.com] to group [name=somegroup1@company.com,cn=groups,cn=company.com,cn=sysdb]. Skipping.
(Wed Aug 14 02:07:52 2019) [sssd[be[intra.company.com]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait from ldb_modify with LDB_WAIT_ALL: No such object (32)]
(Wed Aug 14 02:07:52 2019) [sssd[be[intra.company.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [bbury@company.com] to group [name=somegroup2@company.com,cn=groups,cn=company.com,cn=sysdb]. Skipping.

# snip: these line repeat thousand of times (with different user/groups)
# occasionally SSSD seems to reconnect

(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [get_port_status] (0x0100): Resetting the status of port 389 for server 'freeipa-01.intra.company.com'
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [child_sig_handler] (0x0100): child [23534] finished successfully.
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/c7client.intra.company.com
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-01.intra.company.com' as 'working'
(Wed Aug 14 02:08:30 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'working'
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [get_port_status] (0x0100): Resetting the status of port 389 for server 'freeipa-02.intra.company.com'
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [child_sig_handler] (0x0100): child [23535] finished successfully.
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/c7client.intra.company.com
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-02.intra.company.com' as 'working'
(Wed Aug 14 02:08:36 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'working'
(Wed Aug 14 02:08:42 2019) [sssd[be[intra.company.com]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait from ldb_modify with LDB_WAIT_ALL: No such object (32)]
(Wed Aug 14 02:08:42 2019) [sssd[be[intra.company.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [tom@company.com] to group [name=anothergroup1@company.com,cn=groups,cn=company.com,cn=sysdb]. Skipping.
(Wed Aug 14 02:08:42 2019) [sssd[be[intra.company.com]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait from ldb_modify with LDB_WAIT_ALL: No such object (32)]
(Wed Aug 14 02:08:42 2019) [sssd[be[intra.company.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [tom@company.com] to group [name=exchange group@company.com,cn=groups,cn=company.com,cn=sysdb]. Skipping.

# snip: these line repeat thousand of times (with different user/groups)

# grep -c 'ldb_modify failed' sssd_id_delay.log
13865
# grep -c ' s2n exop request failed' sssd_id_delay.log
52

# eventually id returns

(Wed Aug 14 02:19:19 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
(Wed Aug 14 02:19:19 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
(Wed Aug 14 02:19:19 2019) [sssd[be[intra.company.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [11]: Resource temporarily unavailable.
(Wed Aug 14 02:19:19 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
(Wed Aug 14 02:19:19 2019) [sssd[be[intra.company.com]]] [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
(Wed Aug 14 02:19:19 2019) [sssd[be[intra.company.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [11]: Resource temporarily unavailable.
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'neutral'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'name not resolved'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-01.intra.company.com' as 'neutral'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'neutral'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'name not resolved'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-02.intra.company.com' as 'neutral'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-02.intra.company.com' as 'name not resolved'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'freeipa-02.intra.company.com' as 'neutral'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [collapse_srv_lookup] (0x0100): Need to refresh SRV lookup for domain intra.company.com
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.intra.company.com'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'freeipa-01.intra.company.com' in files
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'resolving name'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'freeipa-01.intra.company.com' in files
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'freeipa-01.intra.company.com' in DNS
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'name resolved'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [child_sig_handler] (0x0100): child [23574] finished successfully.
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 14 02:20:18 2019) [sssd[be[intra.company.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/c7client.intra.company.com
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-01.intra.company.com' as 'working'
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'working'
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/c7client.intra.company.com
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [child_sig_handler] (0x0100): child [23575] finished successfully.
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa-01.intra.company.com' as 'working'
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [set_server_common_status] (0x0100): Marking server 'freeipa-01.intra.company.com' as 'working'
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [ipa_enable_enterprise_principals] (0x0100): Enterprise principals enabled.
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'c7client.intra.company.com' in DNS
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'c7client.intra.company.com' in DNS
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Wed Aug 14 02:20:19 2019) [sssd[be[intra.company.com]]] [ipa_dyndns_nsupdate_done] (0x0040): DNS update finished

/etc/sssd/sssd.conf

[domain/intra.company.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = intra.company.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = c7client.intra.company.com
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, freeipa-01.intra.company.com
dyndns_iface = ens192
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 4

[sssd]
services = nss, sudo, pam, ssh
domains = intra.company.com

[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

Since this is an SSSD issue, it needs to be filed to https://pagure.io/SSSD/sssd/

My bad, I wasn't sure if I should raise it there. It's raised at https://pagure.io/SSSD/sssd/issue/4062

Thanks @rgp I'll close this one.

Metadata Update from @fcami:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)
4 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.