On 25/08/2022 05:41, Ranbir via FreeIPA-users wrote:
After enabling debug_level 9, I managed to figure out that my
test client was missing the krb5-pkinit package so I installed that.
I thought krb5-pkinit is only needed if you want to use PKINIT? sssd
uses the host/$HOSTNAME principal to establish a FAST channel for
pre-authentication, so I don't see how krb5-pkinit affects things?
also noticed errors in sssd_pac.log about the backend being offline.
I
eventually figured out that I needed to add "services = pac" to the
client's sssd.conf. Note: I had removed the services line because in
Ubuntu 22, the various services are instead started as needed via their
sockets (e.g. sssd-autofs.socket, sssd-nss.socket, etc.). If you leave
them defined in the services line, you get tons of errors during system
startup.
I thought 'services = pac' was the default in Debian & that Ubuntu would
inherit this?
I did try socket-activating the pac responder, but I found that sssd
would always launch its own pac responder in addition to the
socket-activated one, so sssd-pac.socket is left disabled by default.
I've resolved those errors, but I'm still seeing extremely
slow logins
when it works. Usually, the login just fails. However, if I login as
root and lookup AD users, they are found and returned to the terminal.
This could be caused by Ubuntu's extremely annoying login script that
looks up every member of every AD group that you're a member of when you
log in.
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1863894
Apply my modification to my script or just disable it and see if your
logins are any quicker.
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9