Hello,
Do your AD users in question belong to any IPA groups?
Your symptoms are very similar to the following post:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
In a nutshell, AD users would only be seen on clients after multiple
failed lookups for the cache lifetime. The solution for us was to
make sure that all permitted AD users belonged to an IPA external
group that was then mapped into an IPA POSIX group. I suppose you
could adjust the cache lifetime on the client vs. our method, but
you'd still run into the issue of expired entries eventually, which
still wouldn't fix the issue.
HTH,
John DeSantis
Il giorno mar 14 dic 2021 alle ore 10:07 tizo via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> ha scritto:
>
> Anyone please?. I don't really know how to fix this. Thanks.
>
> On Thu, Dec 9, 2021 at 11:20 AM tizo <tizone(a)gmail.com> wrote:
>>
>> The scenario is an IPA with an AD trust. The users belong to AD. IPA is a Rocky
Linux 8, and AD is a Samba 4.14.10 over Rocky Linux 8 too.
>>
>> We have a couple of IPA host clients to test. One is another Rocky Linux 8, and
the other is an Ubuntu 20.04. Everything works fine: AD users can login into the clients.
The only problem is, after some time of inactivity on the clients (not sure how much
time), AD users cannot login anymore, but just for a while (some seconds, or a minute). In
that period, executing an "id user" with an AD user in the client, gives me
nothing.
>>
>> In Rocky Linux client, it seems that everything start to works again after SSSD
Kerberos Cache Manager is started (which is done automatically), as can be seen in the
following log from journalctl:
>>
>> Dec 07 12:52:08 rockyprueba.xx.xx sshd[12054]: Invalid user usupru2 from 10.X.X.X
port 56778
>> Dec 07 12:52:09 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for
invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth]
>> Dec 07 12:52:12 rockyprueba.xx.xx sshd[12056]: pam_unix(sshd:auth): check pass;
user unknown
>> Dec 07 12:52:12 rockyprueba.xx.xx sshd[12056]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X
>> Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure
for illegal user usupru2 from 10.X.X.X
>> Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam
for invalid user usupru2 from 10.X.X.X port 56778 ssh2
>> Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for
invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth]
>> Dec 07 12:52:19 rockyprueba.xx.xx sshd[12057]: pam_unix(sshd:auth): check pass;
user unknown
>> Dec 07 12:52:19 rockyprueba.xx.xx sshd[12057]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X
>> Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure
for illegal user usupru2 from 10.X.X.X
>> Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam
for invalid user usupru2 from 10.X.X.X port 56778 ssh2
>> Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for
invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth]
>> Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2
>> Dec 07 12:52:32 rockyprueba.xx.xx krb5_child[12061]: Preauthentication failed
>> Dec 07 12:52:32 rockyprueba.xx.xx krb5_child[12061]: Preauthentication failed
>> Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2
>> Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_sss(sshd:auth): received for
user usupru2: 7 (Authentication failure)
>> Dec 07 12:52:34 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure
for illegal user usupru2 from 10.X.X.X
>> Dec 07 12:52:34 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam
for invalid user usupru2 from 10.X.X.X port 56778 ssh2
>> Dec 07 12:52:36 rockyprueba.xx.xx sshd[12054]: Connection closed by invalid user
usupru2 10.X.X.X port 56778 [preauth]
>> Dec 07 12:52:40 rockyprueba.xx.xx systemd[1]: Starting SSSD Kerberos Cache
Manager...
>> Dec 07 12:52:40 rockyprueba.xx.xx systemd[1]: Started SSSD Kerberos Cache
Manager.
>> Dec 07 12:52:40 rockyprueba.xx.xx sssd_kcm[12068]: Starting up
>> Dec 07 12:52:40 rockyprueba.xx.xx sshd[12064]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2
>> Dec 07 12:52:41 rockyprueba.xx.xx sshd[12062]: Accepted keyboard-interactive/pam
for usupru2 from 10.X.X.X port 56786 ssh2
>>
>> Whereas in Ubuntu I can see the following related lines in the auth log:
>>
>> Dec 9 10:15:52 ubuntuprueba sshd[66229]: Invalid user usupru2 from 10.X.X.X port
43534
>> Dec 9 10:15:57 ubuntuprueba sshd[66229]: Postponed keyboard-interactive for
invalid user usupru2 from 10.X.X.X port 43534 ssh2 [preauth]
>> Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2
>> Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2
>> Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_sss(sshd:auth): received for user
usupru2: 17 (Failure setting user credentials)
>> Dec 9 10:16:14 ubuntuprueba sshd[66229]: error: PAM: Authentication failure for
illegal user usupru2 from 10.X.X.X
>> Dec 9 10:16:14 ubuntuprueba sshd[66229]: Failed keyboard-interactive/pam for
invalid user usupru2 from 10.X.X.X port 43534 ssh2
>> Dec 9 10:16:14 ubuntuprueba sshd[66229]: Postponed keyboard-interactive for
invalid user usupru2 from 10.X.X.X port 43534 ssh2 [preauth]
>> Dec 9 10:17:01 ubuntuprueba CRON[66257]: pam_unix(cron:session): session opened
for user root by (uid=0)
>> Dec 9 10:17:01 ubuntuprueba CRON[66257]: pam_unix(cron:session): session closed
for user root
>> Dec 9 10:18:29 ubuntuprueba sshd[66300]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2
>> Dec 9 10:18:29 ubuntuprueba sshd[66300]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2
>> Dec 9 10:18:29 ubuntuprueba sshd[66298]: Accepted keyboard-interactive/pam for
usupru2 from 10.X.X.X port 43578 ssh2
>> Dec 9 10:18:29 ubuntuprueba sshd[66298]: pam_unix(sshd:session): session opened
for user usupru2 by (uid=0)
>>
>> Any help is appreciated. Thanks very much.
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure