All, First the deets of the setup: 3 IDM servers on RHEL 7.7 ipa version VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 389 directory server version 1.3.9.1-10
Clients: EL7: ipa version 5.6.5, sssd version EL6: ipa version 3.0.0.51, sssd 1.13.3.60 Servers are setup in an AD trust ipa-ad-trust-posix. I have done the performance tweaks for sssd as described at https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ and we use the accounts/groups in AD for login, authorization, and file ownership. There are 3 main issues we are having. 1. On ipa clients on EL 7 servers we are running into sporadic issues. If you totally clear the sssd cache and do an ls -la on let's say /home where there are 12 unique owners of directories usually between 8 to 10 of the UID numbers come back with the the user found, but you have to wait 1 to 5 minutes before the rest of the uids owning the other directories come back as found. 2. Also on ipa clients on EL 7 servers we are running into an issue where occasionally, at what seems like totally random times, AD users that normally can access a client suddenly can't. Someone will have to go in and clear the SSSD cache after which the user will once again be able to access the system. 3. There are some users that are just not visible on the EL 6 clients. On the IDM servers and on EL 7 clients the AD users are able to be found by id and the users can login. On EL 6 those AD users just do not resolve and cannot be seen. Anyway, we have had Red Hat support looking at problem 3 for almost 2 months now with no luck. We have been poking around at problems 1 and 2 but no eureka moments as of yet. I'm hoping someone else on this list has encountered these same issues and found a solution. I would greatly appreciate any insight and help that anyone could provide. Sincerely, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services University of Virginia rw...@virginia.edu _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
