On ma, 19 elo 2019, Martijn Bakkes via FreeIPA-users wrote:
Thank you. When I was getting the SSSD logs it pointed me to an ID range error. I had adjusted the ID ranges as required but it turns out that sss_cache -E doesn't properly clear the SSSD cache. After I deleted the cache files and restarted SSSD I was able to add the global group to an external group properly.
However, these users can now authenticate against the IdM servers without issue ( provided HBAC is applied ), but not to any clients for some reason. debug level 6 SSSD log from a client I'm trying to log in to is below.
I applied the optimization settings from https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-i... I set the timeouts to 15 seconds, any longer and I simply time out prior to getting a password prompt. Even with default timeouts it takes an extraordinarily long time to receive a password prompt now for servers that are part of an HBAC rule that has a posix group which contains an external group.
(Mon Aug 19 15:15:37 2019) [sssd[be[<IPA DOMAIN>]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=<MY USERNAME>@<AD DOMAIN>] (Mon Aug 19 15:15:37 2019) [sssd[be[<IPA DOMAIN>]]] [dp_attach_req] (0x0400): DP Request [Initgroups #29]: New request. Flags [0x0001]. (Mon Aug 19 15:15:37 2019) [sssd[be[<IPA DOMAIN>]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Mon Aug 19 15:15:37 2019) [sssd[be[<IPA DOMAIN>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=<MY USERNAME>))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=ipa,dc=ipa,dc=ipa]. (Mon Aug 19 15:15:37 2019) [sssd[be[<IPA DOMAIN>]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Aug 19 15:15:37 2019) [sssd[be[<IPA DOMAIN>]]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [<MY USERNAME>] to IPA server (Mon Aug 19 15:15:37 2019) [sssd[be[<IPA DOMAIN>]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Aug 19 15:15:43 2019) [sssd[be[<IPA DOMAIN>]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Stop here -- s2n exop failure means there was an error on the IPA server side to resolve this request. You need SSSD logs from that server for the same time frame to understand why and what was wrong.