All,
First the deets of the setup:
3 IDM servers on RHEL 7.7
ipa version VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
389 directory server version 1.3.9.1-10
Clients:
EL7: ipa version 5.6.5, sssd version
EL6: ipa version 3.0.0.51, sssd 1.13.3.60
Servers are setup in an AD trust ipa-ad-trust-posix. I have done the performance tweaks
for sssd as described at
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg...
and we use the accounts/groups in AD for login, authorization, and file ownership.
There are 3 main issues we are having.
1. On ipa clients on EL 7 servers we are running into sporadic issues. If you totally
clear the sssd cache and do an ls -la on let's say /home where there are 12 unique
owners of directories usually between 8 to 10 of the UID numbers come back with the the
user found, but you have to wait 1 to 5 minutes before the rest of the uids owning the
other directories come back as found.
2. Also on ipa clients on EL 7 servers we are running into an issue where occasionally, at
what seems like totally random times, AD users that normally can access a client suddenly
can't. Someone will have to go in and clear the SSSD cache after which the user will
once again be able to access the system.
3. There are some users that are just not visible on the EL 6 clients. On the IDM servers
and on EL 7 clients the AD users are able to be found by id and the users can login. On
EL 6 those AD users just do not resolve and cannot be seen.
Anyway, we have had Red Hat support looking at problem 3 for almost 2 months now with no
luck. We have been poking around at problems 1 and 2 but no eureka moments as of yet.
I'm hoping someone else on this list has encountered these same issues and found a
solution. I would greatly appreciate any insight and help that anyone could provide.
Sincerely,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
University of Virginia
rwj5d(a)virginia.edu