On Thu, Jun 27, 2019 at 05:01:27PM +0000, Thomas Beaudry wrote:
Hi Jakub,
So i tired
Does it help to increase the dns_resolver_timeout from its default of 6
seconds? Please see the note in man sssd-ad, there are several timeouts that might need to be increased in unison, can you try e.g.: ldap_opt_timeout = 20 dns_resolver_timeout = 10
but it didn't fix the problem. Here is my domain log with the same timesteamp as my id <user> command: https://pastebin.com/raw/swicNUPe
thanks, Thomas
OK, but now the error is different, right? At least in the domain log I see: (Thu Jun 27 12:56:09 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0]
btw I find it odd that the logs seemingly uses the host/hostname principal: (Thu Jun 27 12:56:03 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/perform-capstone, MYDOMAIN.ca, 86400)
did you specify ldap_sasl_authid yourself or did sssd pick this principal? If sssd did pick this principal, can I see the whole log?