Hi,
The 'id' command and server login for an AD user is failing in some IPA clients joined to the server recently. For other clients, the 'id' command as well as server login for the AD user, is working fine. For clients where AD login is working, we are also seeing recently, some amount of slowness. Not sure what is causing these issues.
I have sanitized and attached the full domain log of a client where 'id' command is not working.I can see in the logs, it is able to pull around 20 groups from the ipa master, but then it goes to timeout while getting membership of a group.
(Tue Jan 5 12:56:08 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_get_list_step] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for object [ad_group1@domain.com].
(Tue Jan 5 12:56:08 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
(Tue Jan 5 12:56:08 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 6
(Tue Jan 5 12:56:08 2021) [sssd[be[ipa.domain.com]]] [sdap_op_add] (0x2000): New operation 6 timeout 6
(Tue Jan 5 12:56:08 2021) [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f5df2f2a10], connected[1], ops[0x55f5df2838f0], ldap[0x55f5df315c90]
(Tue Jan 5 12:56:08 2021) [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Tue Jan 5 12:56:12 2021) [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55f5df2bdf20], connected[1], ops[(nil)], ldap[0x55f5df2bda90]
(Tue Jan 5 12:56:12 2021) [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [sdap_op_timeout] (0x1000): Issuing timeout for 6
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [sdap_op_destructor] (0x1000): Abandoning operation 6
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
I am also seeing timeout while getting the group details from the ipa replica.
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa-replica.ipa.domain.com' as 'working'
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [set_server_common_status] (0x0100): Marking server 'ipa-replica.ipa.domain.com' as 'working'
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'ipa-replica.ipa.domain.com' as 'working'
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [sdap_id_op_connect_done] (0x2000): Old USN: 4739522, New USN: 4855028
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [ad_user] to IPA server
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 5
(Tue Jan 5 12:56:14 2021) [sssd[be[ipa.domain.com]]] [sdap_op_add] (0x2000): New operation 5 timeout 6
(Tue Jan 5 12:56:20 2021) [sssd[be[ipa.domain.com]]] [sdap_op_timeout] (0x1000): Issuing timeout for 5
(Tue Jan 5 12:56:20 2021) [sssd[be[ipa.domain.com]]] [sdap_op_destructor] (0x1000): Abandoning operation 5
(Tue Jan 5 12:56:20 2021) [sssd[be[ipa.domain.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
(Tue Jan 5 12:56:20 2021) [sssd[be[ipa.domain.com]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
Any help is appreciated.
TIA
Suchi.