SSSD take multiple failed login attempts before allowing an AD account to login.

Solution Verified - Updated -

Issue

Customer has a trust established between IPA and the Active Directory.
SSSD take multiple failed login attempts before allowing an AD account to login.

We see the following logs in /var/log/ssssd/sssd_be.log

 [sssd[be[example.com]]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [user1] to IPA server
 [sssd[be[example.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
 [sssd[be[example.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 15
 [sssd[be[example.com]]] [sdap_op_add] (0x2000): New operation 15 timeout 6
 [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x561f6d976ff0], connected[1], ops[0x561f6d983400], ldap[0x561f6d984490]
 [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
 [sssd[be[example.com]]] [sdap_op_timeout] (0x1000): Issuing timeout for 15
 [sssd[be[example.com]]] [sdap_op_destructor] (0x1000): Abandoning operation 15
 [sssd[be[example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.

Environment

  • Red Hat Enterprise Linux 7.4
  • IPA-AD Trust

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In