We recently setup a FreeIPA server. We're using it for central user management, DNS, and CA. It's been working great with one exception.
Some of the workstations that authenticate with this FreeIPA server are several thousands of miles away. Round Trip Time is about 300 ms. We've noticed some unpredictable authentication failures on these machines. One second they'll fail to authenticate a login attempt and then they'll succeed to authenticate only seconds later. We're thinking that the delay is the culprit.
Is there a way to extend the timeout on the clients? Alternatively, we've been considering setting up an IPA replica at the location where these workstations reside. How would the high latency link affect the replica's ability to replicate with the primary server?
Holy crap! I've found the problem. Without going into too much detail, essentially someone had created a crontab that is triggering every 2 minutes. The crontab entry kicks off a script that checks the state of the sssd service and restarts it if it's in a hung or weird state. However, the script is evaluating the state of the sssd service incorrectly and has been restarting it every time the crontab triggered. Someone's going to get an earfull in the morning.