5.8. Troubleshooting Cross-forest Trusts
This section provides information about possible problems in an cross-forest trust environment and ways to solve them.
5.8.1. Troubleshooting the ipa-extdom Plug-in
IdM clients in an IdM domain with a trust to Active Directory (AD) cannot receive information about users and groups from AD directly. Additionally, IdM does not store information about AD users in Directory Server running on IdM masters. Instead, IdM servers use the
ipa-extdom
to receive information about AD users and groups and forwards them to the requesting client.
Setting the Config Timeout of the ipa-extdom Plug-in
The
ipa-extdom
plug-in sends a request to SSSD for the data about AD users. However, not all requested data might be already in the cache of SSSD. In this case, SSSD requests the data from the AD domain controller (DC). This can be time-consuming for certain operations. The config timeout value defines the time in milliseconds of how long the ipa-extdom
plug-in waits for a reply of SSSD before the plug-in cancels the connection and returns a timeout error to the caller.
By default, the config timeout is
10000
milliseconds (10 seconds).
- If you set a too small value, such as
500
milliseconds, SSSD might not have enough time to reply and requests will always return a timeout. - If the value is too large, such as
30000
milliseconds (30 seconds), a single request might block the connection to SSSD for this amount of time. Since only one thread can connect to SSSD at a time, all other requests from the plug-in have to wait. - If there are many requests sent by IdM clients, they can block all available workers configured for Directory Server and, as a consequence, the server might not be able to reply to any kind of request for some time.
Change the config timeout in the following situations:
- If IdM clients frequently receive timeout errors before their own search timeout is reached when requesting information about AD users and groups, the config timeout value is too small.
- If the Directory Server on the IdM server is often locked and the
pstack
utility reports that many or all worker threads are handlingipa-extdom
requests at this time, the value is too large.
For example, to set the config value to
20000
milliseconds (20 seconds), enter:
# ldapmodify -D "cn=directory manager" -W dn: cn=ipa_extdom_extop,cn=plugins,cn=config changetype: modify replace: ipaExtdomMaxNssTimeout ipaExtdomMaxNssTimeout: 20000
Setting the Maximum Size of the ipa-extdom Plug-in Buffer Used for NSS Calls
The
ipa-extdom
plug-in uses calls which use the same API as typical name service switch (NSS) calls to request data from SSSD. Those calls use a buffer where SSSD can store the requested data. If the buffer is too small, SSSD returns an ERANGE
error and the plug-in retries the request with a larger buffer. The ipaExtdomMaxNssBufSize
attribute in the cn=ipa_extdom_extop,cn=plugins,cn=config
entry of Directory Server on the IdM master defines the maximum size of the buffer in bytes.
By default, the buffer is
134217728
bytes (128 MB). Only increase the value if, for example, a group has so many members that all names do not fit into the buffer and the IPA client cannot resolve the group.
For example, to set the buffer to
268435456
bytes (256 MB), enter:
# ldapmodify -D "cn=directory manager" -W dn: cn=ipa_extdom_extop,cn=plugins,cn=config changetype: modify replace: ipaExtdomMaxNssBufSize ipaExtdomMaxNssBufSize: 268435456