Join Log in
Score:0
anon1802 avatar Ubuntu

Slow login with Active Directory on Ubuntu 20.04

br flag
anon1802

I am running an Ubuntu 20.04 machine configured to use my organisation's Active Directory (AD) setup.

There is a significant difference in the login time depending on whether I am connected to my organisation's local network. Away from the network, login takes ~1s, whereas connected to the network it can take several minutes, sometimes even rejecting my password at first before eventually accepting it.

Presumably there is some credential caching going on when I am disconnected from the network, but this difference in login times does seem excessive.

/var/log/auth.log shows the following around a login event:

Feb 21 14:17:01 device_name CRON[16161]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 21 14:17:01 device_name CRON[16161]: pam_unix(cron:session): session closed for user root
Feb 21 14:20:04 device_name gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=user_name
Feb 21 14:20:05 device_name gdm-password]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user_name
Feb 21 14:20:07 device_name gdm-password]: gkr-pam: unlocked login keyring

The authentication failure from pam_unix after a wait of 3 minutes seems suspicious, but I don't know enough to properly diagnose this.

Does anyone know what could be causing such long login times when connected to the AD network?

25
0 + 0
Score:0
Gerald Festini avatar Ubuntu
cy flag
Gerald Festini

So... I found the solution to the problem (at least it is working for me and my users) It seems that it has to do with the many many ad groups we have in our environment.

I had to add a few lines to the sssd.conf file.

ad_gpo_access_control = permissive
ignore_group_members = true
ldap_refferals = false

afterwards i restarted the system. that did the trick for me. hope it helps anyone who is fighting with this problem as well

+ 1
ETL avatar
br flag
ETL
Here is a place where the configurations above are described so one knows what this means: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo
0
Reply
Score:0
PrestonDocks avatar Ubuntu
cn flag
PrestonDocks

I had the same problem. I have ubuntu 20.04 connected to a Windows Active Directory domain.

I commented out access_provider = ad in /etc/sssd/sssd.conf

....
#access_provider = ad

Then rebooted

Now I can login without any waiting or timeouts.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.