On Thu, Aug 22, 2019 at 01:11:28PM -0000, Martijn Bakkes via FreeIPA-users wrote:
At this time the client will ask the server for the user data ...
... but this seems to be fast this time.
Additionally SSSD tries to figure out which authentication methods are available for the user trying to log in (password, 2FA, Smartcard). For this the client will try to connect to the IPA server or the AD DCs for AD users directly (as long as you do not have a KDC proxy configured). Maybe this is causing the delay here. To identify this the SSSD domain logs and the krb5_child.log from the IPA client are needed.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Finally getting back to this. So, we had assumed that the default behaviour was for the client to proxy the logins through the IdM server. Especially since both the server and client logs appear to indicate that's the behaviour. I hadn't previously found mention of kdcproxy when troubleshooting this. However, when you mentioned that I googled specifically for that and found a paywalled article from redhat on how to set it up. After doing that it's working correctly now. Thank you very much for your help.