The scenario is an IPA with an AD trust. The users belong to AD. IPA is a Rocky Linux 8, and AD is a Samba 4.14.10 over Rocky Linux 8 too. We have a couple of IPA host clients to test. One is another Rocky Linux 8, and the other is an Ubuntu 20.04. Everything works fine: AD users can login into the clients. The only problem is, after some time of inactivity on the clients (not sure how much time), AD users cannot login anymore, but just for a while (some seconds, or a minute). In that period, executing an "id user" with an AD user in the client, gives me nothing. In Rocky Linux client, it seems that everything start to works again after SSSD Kerberos Cache Manager is started (which is done automatically), as can be seen in the following log from journalctl: Dec 07 12:52:08 rockyprueba.xx.xx sshd[12054]: Invalid user usupru2 from 10.X.X.X port 56778 Dec 07 12:52:09 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth] Dec 07 12:52:12 rockyprueba.xx.xx sshd[12056]: pam_unix(sshd:auth): check pass; user unknown Dec 07 12:52:12 rockyprueba.xx.xx sshd[12056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure for illegal user usupru2 from 10.X.X.X Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam for invalid user usupru2 from 10.X.X.X port 56778 ssh2 Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth] Dec 07 12:52:19 rockyprueba.xx.xx sshd[12057]: pam_unix(sshd:auth): check pass; user unknown Dec 07 12:52:19 rockyprueba.xx.xx sshd[12057]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure for illegal user usupru2 from 10.X.X.X Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam for invalid user usupru2 from 10.X.X.X port 56778 ssh2 Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth] Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 Dec 07 12:52:32 rockyprueba.xx.xx krb5_child[12061]: Preauthentication failed Dec 07 12:52:32 rockyprueba.xx.xx krb5_child[12061]: Preauthentication failed Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_sss(sshd:auth): received for user usupru2: 7 (Authentication failure) Dec 07 12:52:34 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure for illegal user usupru2 from 10.X.X.X Dec 07 12:52:34 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam for invalid user usupru2 from 10.X.X.X port 56778 ssh2 Dec 07 12:52:36 rockyprueba.xx.xx sshd[12054]: Connection closed by invalid user usupru2 10.X.X.X port 56778 [preauth] Dec 07 12:52:40 rockyprueba.xx.xx systemd[1]: Starting SSSD Kerberos Cache Manager... Dec 07 12:52:40 rockyprueba.xx.xx systemd[1]: Started SSSD Kerberos Cache Manager. Dec 07 12:52:40 rockyprueba.xx.xx sssd_kcm[12068]: Starting up Dec 07 12:52:40 rockyprueba.xx.xx sshd[12064]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 Dec 07 12:52:41 rockyprueba.xx.xx sshd[12062]: Accepted keyboard-interactive/pam for usupru2 from 10.X.X.X port 56786 ssh2 Whereas in Ubuntu I can see the following related lines in the auth log: Dec 9 10:15:52 ubuntuprueba sshd[66229]: Invalid user usupru2 from 10.X.X.X port 43534 Dec 9 10:15:57 ubuntuprueba sshd[66229]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 43534 ssh2 [preauth] Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_sss(sshd:auth): received for user usupru2: 17 (Failure setting user credentials) Dec 9 10:16:14 ubuntuprueba sshd[66229]: error: PAM: Authentication failure for illegal user usupru2 from 10.X.X.X Dec 9 10:16:14 ubuntuprueba sshd[66229]: Failed keyboard-interactive/pam for invalid user usupru2 from 10.X.X.X port 43534 ssh2 Dec 9 10:16:14 ubuntuprueba sshd[66229]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 43534 ssh2 [preauth] Dec 9 10:17:01 ubuntuprueba CRON[66257]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 9 10:17:01 ubuntuprueba CRON[66257]: pam_unix(cron:session): session closed for user root Dec 9 10:18:29 ubuntuprueba sshd[66300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 Dec 9 10:18:29 ubuntuprueba sshd[66300]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 Dec 9 10:18:29 ubuntuprueba sshd[66298]: Accepted keyboard-interactive/pam for usupru2 from 10.X.X.X port 43578 ssh2 Dec 9 10:18:29 ubuntuprueba sshd[66298]: pam_unix(sshd:session): session opened for user usupru2 by (uid=0) Any help is appreciated. Thanks very much.

Hello, Do your AD users in question belong to any IPA groups? Your symptoms are very similar to the following post: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... In a nutshell, AD users would only be seen on clients after multiple failed lookups for the cache lifetime. The solution for us was to make sure that all permitted AD users belonged to an IPA external group that was then mapped into an IPA POSIX group. I suppose you could adjust the cache lifetime on the client vs. our method, but you'd still run into the issue of expired entries eventually, which still wouldn't fix the issue. HTH, John DeSantis Il giorno mar 14 dic 2021 alle ore 10:07 tizo via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; ha scritto: > > Anyone please?. I don't really know how to fix this. Thanks. > > On Thu, Dec 9, 2021 at 11:20 AM tizo <tizone(a)gmail.com&gt; wrote: >> >> The scenario is an IPA with an AD trust. The users belong to AD. IPA is a Rocky Linux 8, and AD is a Samba 4.14.10 over Rocky Linux 8 too. >> >> We have a couple of IPA host clients to test. One is another Rocky Linux 8, and the other is an Ubuntu 20.04. Everything works fine: AD users can login into the clients. The only problem is, after some time of inactivity on the clients (not sure how much time), AD users cannot login anymore, but just for a while (some seconds, or a minute). In that period, executing an "id user" with an AD user in the client, gives me nothing. >> >> In Rocky Linux client, it seems that everything start to works again after SSSD Kerberos Cache Manager is started (which is done automatically), as can be seen in the following log from journalctl: >> >> Dec 07 12:52:08 rockyprueba.xx.xx sshd[12054]: Invalid user usupru2 from 10.X.X.X port 56778 >> Dec 07 12:52:09 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth] >> Dec 07 12:52:12 rockyprueba.xx.xx sshd[12056]: pam_unix(sshd:auth): check pass; user unknown >> Dec 07 12:52:12 rockyprueba.xx.xx sshd[12056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X >> Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure for illegal user usupru2 from 10.X.X.X >> Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam for invalid user usupru2 from 10.X.X.X port 56778 ssh2 >> Dec 07 12:52:14 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth] >> Dec 07 12:52:19 rockyprueba.xx.xx sshd[12057]: pam_unix(sshd:auth): check pass; user unknown >> Dec 07 12:52:19 rockyprueba.xx.xx sshd[12057]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X >> Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure for illegal user usupru2 from 10.X.X.X >> Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam for invalid user usupru2 from 10.X.X.X port 56778 ssh2 >> Dec 07 12:52:21 rockyprueba.xx.xx sshd[12054]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 56778 ssh2 [preauth] >> Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 >> Dec 07 12:52:32 rockyprueba.xx.xx krb5_child[12061]: Preauthentication failed >> Dec 07 12:52:32 rockyprueba.xx.xx krb5_child[12061]: Preauthentication failed >> Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 >> Dec 07 12:52:32 rockyprueba.xx.xx sshd[12058]: pam_sss(sshd:auth): received for user usupru2: 7 (Authentication failure) >> Dec 07 12:52:34 rockyprueba.xx.xx sshd[12054]: error: PAM: Authentication failure for illegal user usupru2 from 10.X.X.X >> Dec 07 12:52:34 rockyprueba.xx.xx sshd[12054]: Failed keyboard-interactive/pam for invalid user usupru2 from 10.X.X.X port 56778 ssh2 >> Dec 07 12:52:36 rockyprueba.xx.xx sshd[12054]: Connection closed by invalid user usupru2 10.X.X.X port 56778 [preauth] >> Dec 07 12:52:40 rockyprueba.xx.xx systemd[1]: Starting SSSD Kerberos Cache Manager... >> Dec 07 12:52:40 rockyprueba.xx.xx systemd[1]: Started SSSD Kerberos Cache Manager. >> Dec 07 12:52:40 rockyprueba.xx.xx sssd_kcm[12068]: Starting up >> Dec 07 12:52:40 rockyprueba.xx.xx sshd[12064]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 >> Dec 07 12:52:41 rockyprueba.xx.xx sshd[12062]: Accepted keyboard-interactive/pam for usupru2 from 10.X.X.X port 56786 ssh2 >> >> Whereas in Ubuntu I can see the following related lines in the auth log: >> >> Dec 9 10:15:52 ubuntuprueba sshd[66229]: Invalid user usupru2 from 10.X.X.X port 43534 >> Dec 9 10:15:57 ubuntuprueba sshd[66229]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 43534 ssh2 [preauth] >> Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 >> Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 >> Dec 9 10:16:12 ubuntuprueba sshd[66231]: pam_sss(sshd:auth): received for user usupru2: 17 (Failure setting user credentials) >> Dec 9 10:16:14 ubuntuprueba sshd[66229]: error: PAM: Authentication failure for illegal user usupru2 from 10.X.X.X >> Dec 9 10:16:14 ubuntuprueba sshd[66229]: Failed keyboard-interactive/pam for invalid user usupru2 from 10.X.X.X port 43534 ssh2 >> Dec 9 10:16:14 ubuntuprueba sshd[66229]: Postponed keyboard-interactive for invalid user usupru2 from 10.X.X.X port 43534 ssh2 [preauth] >> Dec 9 10:17:01 ubuntuprueba CRON[66257]: pam_unix(cron:session): session opened for user root by (uid=0) >> Dec 9 10:17:01 ubuntuprueba CRON[66257]: pam_unix(cron:session): session closed for user root >> Dec 9 10:18:29 ubuntuprueba sshd[66300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 >> Dec 9 10:18:29 ubuntuprueba sshd[66300]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.X.X.X user=usupru2 >> Dec 9 10:18:29 ubuntuprueba sshd[66298]: Accepted keyboard-interactive/pam for usupru2 from 10.X.X.X port 43578 ssh2 >> Dec 9 10:18:29 ubuntuprueba sshd[66298]: pam_unix(sshd:session): session opened for user usupru2 by (uid=0) >> >> Any help is appreciated. Thanks very much. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

I have applied your 4 steps solution (instead of clearing the caches in the fifth step, I just rebooted the IPA server), and it looks good so far. I will do some more tests during the following days, and then will post the results.