Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.8. Troubleshooting Cross-forest Trusts

This section provides information about possible problems in an cross-forest trust environment and ways to solve them.

5.8.1. Troubleshooting the ipa-extdom Plug-in

IdM clients in an IdM domain with a trust to Active Directory (AD) cannot receive information about users and groups from AD directly. Additionally, IdM does not store information about AD users in Directory Server running on IdM masters. Instead, IdM servers use the ipa-extdom to receive information about AD users and groups and forwards them to the requesting client.

Setting the Config Timeout of the ipa-extdom Plug-in

The ipa-extdom plug-in sends a request to SSSD for the data about AD users. However, not all requested data might be already in the cache of SSSD. In this case, SSSD requests the data from the AD domain controller (DC). This can be time-consuming for certain operations. The config timeout value defines the time in milliseconds of how long the ipa-extdom plug-in waits for a reply of SSSD before the plug-in cancels the connection and returns a timeout error to the caller.
By default, the config timeout is 10000 milliseconds (10 seconds).
  • If you set a too small value, such as 500 milliseconds, SSSD might not have enough time to reply and requests will always return a timeout.
  • If the value is too large, such as 30000 milliseconds (30 seconds), a single request might block the connection to SSSD for this amount of time. Since only one thread can connect to SSSD at a time, all other requests from the plug-in have to wait.
  • If there are many requests sent by IdM clients, they can block all available workers configured for Directory Server and, as a consequence, the server might not be able to reply to any kind of request for some time.
Change the config timeout in the following situations:
  • If IdM clients frequently receive timeout errors before their own search timeout is reached when requesting information about AD users and groups, the config timeout value is too small.
  • If the Directory Server on the IdM server is often locked and the pstack utility reports that many or all worker threads are handling ipa-extdom requests at this time, the value is too large.
For example, to set the config value to 20000 milliseconds (20 seconds), enter:
# ldapmodify -D "cn=directory manager" -W
dn: cn=ipa_extdom_extop,cn=plugins,cn=config

changetype: modify
replace: ipaExtdomMaxNssTimeout
ipaExtdomMaxNssTimeout: 20000

Setting the Maximum Size of the ipa-extdom Plug-in Buffer Used for NSS Calls

The ipa-extdom plug-in uses calls which use the same API as typical name service switch (NSS) calls to request data from SSSD. Those calls use a buffer where SSSD can store the requested data. If the buffer is too small, SSSD returns an ERANGE error and the plug-in retries the request with a larger buffer. The ipaExtdomMaxNssBufSize attribute in the cn=ipa_extdom_extop,cn=plugins,cn=config entry of Directory Server on the IdM master defines the maximum size of the buffer in bytes.
By default, the buffer is 134217728 bytes (128 MB). Only increase the value if, for example, a group has so many members that all names do not fit into the buffer and the IPA client cannot resolve the group.
For example, to set the buffer to 268435456 bytes (256 MB), enter:
# ldapmodify -D "cn=directory manager" -W

dn: cn=ipa_extdom_extop,cn=plugins,cn=config
changetype: modify
replace: ipaExtdomMaxNssBufSize
ipaExtdomMaxNssBufSize: 268435456