<div dir="ltr"><br>
if I ssh with an ipa user, authentication hangs on "we sent a
gssapi-with-mic packet, wait for reply" from 5s to 10s<br>
if I ssh with local user, auth is nearly immediate (less than 1s)<br>
<br>
<br>
From a client :<br>
[test@argon ~]$ time id test<br>
uid=1713400050(test) gid=1713400050(test)
groups=1713400050(test),1713400004(bioinfo)<br>
<br>
real 0m2.269s<br>
user 0m0.001s<br>
sys 0m0.004s<br>
<br>
[test@argon ~]$ time id test<br>
uid=1713400050(test) gid=1713400050(test)
groups=1713400050(test),1713400004(bioinfo)<br>
<br>
real 0m0.005s<br>
user 0m0.002s<br>
sys 0m0.003s<br>
<br>
<br>
[test@argon ~]$ time ipa user-find test<br>
--------------<br>
1 user matched<br>
--------------<br>
User login: test<br>
First name: test<br>
Last name: user<br>
Home directory: /home/test<br>
Login shell: /bin/bash<br>
Email address: <a class="moz-txt-link-abbreviated" href="mailto:test@bioinf.local">test@bioinf.local</a><br>
UID: 1713400050<br>
GID: 1713400050<br>
Account disabled: False<br>
Password: True<br>
Kerberos keys available: True<br>
----------------------------<br>
Number of entries returned 1<br>
----------------------------<br>
<br>
real 0m1.464s<br>
user 0m0.348s<br>
sys 0m0.062s<br>
<br>
<br>
Following the guide you sent me:<br>
On the server:<br>
<br>
[root@lead sssd]# systemctl status sssd <br>
sssd.service - System Security Services Daemon<br>
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)<br>
Drop-In: /etc/systemd/system/sssd.service.d<br>
└─journal.conf<br>
Active: active (running) since Wed 2015-08-12 16:55:50 CEST;
11min ago<br>
Process: 6495 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)<br>
Main PID: 6496 (sssd)<br>
CGroup: /system.slice/sssd.service<br>
├─6496 /usr/sbin/sssd -D -f<br>
├─6497 /usr/libexec/sssd/sssd_be --domain bioinf.local
--uid 0 --gid 0 --debug-to-files<br>
├─6498 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0
--debug-to-files<br>
├─6499 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0
--debug-to-files<br>
├─6500 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0
--debug-to-files<br>
├─6501 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0
--debug-to-files<br>
├─6502 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
--debug-to-files<br>
└─6503 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0
--debug-to-files<br>
<br>
Aug 12 16:55:50 lead.bioinf.local sssd[autofs][6500]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd[pam][6499]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd[sudo][6502]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd[ssh][6501]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd[pac][6503]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step
1<br>
Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step
1<br>
Aug 12 16:55:50 lead.bioinf.local systemd[1]: Started System
Security Services Daemon.<br>
Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step
1<br>
Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step
2<br>
<br>
<br>
[root@lead sssd]# more /etc/nsswitch.conf<br>
passwd: files sss<br>
shadow: files sss<br>
group: files sss<br>
#initgroups: files<br>
<br>
#hosts: db files nisplus nis dns<br>
hosts: files dns<br>
<br>
# Example - obey only what nisplus tells us...<br>
#services: nisplus [NOTFOUND=return] files<br>
#networks: nisplus [NOTFOUND=return] files<br>
#protocols: nisplus [NOTFOUND=return] files<br>
#rpc: nisplus [NOTFOUND=return] files<br>
#ethers: nisplus [NOTFOUND=return] files<br>
#netmasks: nisplus [NOTFOUND=return] files<br>
<br>
bootparams: nisplus [NOTFOUND=return] files<br>
<br>
ethers: files<br>
netmasks: files<br>
networks: files<br>
protocols: files<br>
rpc: files<br>
services: files sss<br>
<br>
netgroup: files sss<br>
<br>
publickey: nisplus<br>
<br>
automount: files<br>
<br>
aliases: files <br>
<br>
<br>
[root@lead sssd]# date<br>
Wed Aug 12 17:09:50 CEST 2015<br>
[root@lead sssd]# systemctl restart sssd<br>
[root@lead sssd]# getent passwd test<br>
test:*:1713400050:1713400050:test user:/home/test:/bin/bash<br>
<br>
<br>
sssd_nss.log:<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]]
[sss_responder_ctx_destructor] (0x0400): Responder is being shut
down<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [server_setup] (0x0400):
CONFDB: /var/lib/sss/db/config.ldb<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [confdb_get_domain_internal]
(0x0400): No enumeration for [bioinf.local]!<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection]
(0x0400): Adding connection 0x7ff00ae60ec0<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [monitor_common_send_id]
(0x0100): Sending ID: (nss,1)<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args]
(0x0100): Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100):
Using fq format [%1$s@%2$s].<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection]
(0x0400): Adding connection 0x7ff00ae60b00<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_common_send_id] (0x0100):
Sending ID to DP: (1,NSS)<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sysdb_domain_init_internal]
(0x0200): DB File for bioinf.local:
/var/lib/sss/db/cache_bioinf.local.ldb<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable
to register control with rootdse!<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_process_init] (0x0400):
Responder Initialization complete<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/root] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'polkitd' matched without domain, user is polkitd<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/polkitd] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'avahi' matched without domain, user is avahi<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/avahi] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'colord' matched without domain, user is colord<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/colord] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'rtkit' matched without domain, user is rtkit<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/rtkit] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'pulse' matched without domain, user is pulse<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/pulse] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'gdm' matched without domain, user is gdm<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/gdm] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'postfix' matched without domain, user is postfix<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/postfix] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/root] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'polkitd' matched without domain, user is polkitd<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/polkitd] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'avahi' matched without domain, user is avahi<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/avahi] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'colord' matched without domain, user is colord<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/colord] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'rtkit' matched without domain, user is rtkit<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/rtkit] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'pulse' matched without domain, user is pulse<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/pulse] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'gdm' matched without domain, user is gdm<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/gdm] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'postfix' matched without domain, user is postfix<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/postfix] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /bin/sh in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /bin/bash in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /sbin/nologin in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /usr/bin/sh in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /usr/bin/bash in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /usr/sbin/nologin in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /bin/tcsh in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /bin/csh in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [responder_set_fd_limit]
(0x0100): Maximum file descriptors set to [8192]<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args]
(0x0100): Using re
[(?P<name>[^@]+)@?(?P<domain>[^@]*$)].<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100):
Using fq format [%1$s@%2$s].<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_process_init] (0x0400):
NSS Initialization complete<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_issue_request]
(0x0400): Issuing request for [<a class="moz-txt-link-abbreviated" href="mailto:0x7ff00a44a670:domains@bioinf.local">0x7ff00a44a670:domains@bioinf.local</a>]<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_get_domains_msg]
(0x0400): Sending get domains request for [bioinf.local][]<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_internal_get_send]
(0x0400): Entering request [<a class="moz-txt-link-abbreviated" href="mailto:0x7ff00a44a670:domains@bioinf.local">0x7ff00a44a670:domains@bioinf.local</a>]<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_id_callback] (0x0100):
Got id ack and version (1) from DP<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [id_callback] (0x0100): Got
id ack and version (1) from Monitor<br>
(Wed Aug 12 17:09:59 2015) [sssd[nss]] [sss_dp_req_destructor]
(0x0400): Deleting request: [<a class="moz-txt-link-abbreviated" href="mailto:0x7ff00a44a670:domains@bioinf.local">0x7ff00a44a670:domains@bioinf.local</a>]<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [accept_fd_handler] (0x0400):
Client connected!<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version]
(0x0200): Received client version [1].<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version]
(0x0200): Offered version [1].<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [17] with input [root].<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [root] from [<ALL>]<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0400): User [root] does not exist in [bioinf.local]! (negative
cache)<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0080): No matching domain found for [root], fail!<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [38] with input [root].<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [root] from [<ALL>]<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0400): User [root] does not exist in [bioinf.local]! (negative
cache)<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0080): No matching domain found for [root], fail!<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [client_recv] (0x0200):
Client disconnected!<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [accept_fd_handler] (0x0400):
Client connected!<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version]
(0x0200): Received client version [1].<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version]
(0x0200): Offered version [1].<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [17] with input [test].<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'test' matched without domain, user is test<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [test] from [<ALL>]<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [<a class="moz-txt-link-abbreviated" href="mailto:test@bioinf.local">test@bioinf.local</a>]<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [check_cache] (0x0400):
Cached entry is valid, returning..<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0400): Returning info for user [<a class="moz-txt-link-abbreviated" href="mailto:test@bioinf.local">test@bioinf.local</a>]<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [client_recv] (0x0200):
Client disconnected!<br>
<br>
sssd.conf:<br>
[sssd]<br>
debug_level = 6<br>
config_file_version = 2<br>
services = nss, pam, autofs, ssh, sudo<br>
domains = bioinf.local<br>
<br>
[nss]<br>
debug_level = 6<br>
filter_users = root, polkitd, avahi, colord, rtkit, pulse, gdm,
postfix<br>
filter_groups = root, polkitd, avahi, colord, rtkit, pulse, gdm,
postfix<br>
reconnection_retries = 3<br>
entry_cache_timeout = 300<br>
entry_cache_nowait_percentage = 75<br>
<br>
[pam]<br>
debug_level = 6<br>
<br>
[domain/bioinf.local]<br>
enumerate = false<br>
debug_level = 6<br>
cache_credentials = True<br>
krb5_store_password_if_offline = True<br>
ipa_domain = bioinf.local<br>
id_provider = ipa<br>
auth_provider = ipa<br>
access_provider = ipa<br>
ipa_hostname = lead.bioinf.local<br>
chpass_provider = ipa<br>
ipa_server = _srv_, lead.bioinf.local<br>
ipa_server_mode = True<br>
ldap_tls_cacert = /etc/ipa/ca.crt<br>
krb5_lifetime = 1d<br>
krb5_renewable_lifetime = 7d<br>
krb5_renew_interval = 3600<br>
<br>
<br>
[ssh]<br>
debug_level = 6<br>
<br>
[autofs]<br>
debug_level = 6<br>
<br>
[sudo]<br>
<br>
</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 11, 2015 at 1:39 PM, Jakub Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote:<br>
> Hi,<br>
><br>
> I inherited a server (the guy that built it left) running centos 7 and<br>
> Identity Management (Kerberos, 389DS, ...) with NFS.<br>
> Everything concerning login (with network accounts) is very slow ( several<br>
> seconds)<br>
> I already solved a lot of problems on this server(DNS, NTP, firewall, ...),<br>
> but I am neither a sysadmin nor a linux guru and I don't know where and<br>
> what to look for ?<br>
> Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ...<br>
<br>
</span>Can you define "slow" better? Can you estimate how big is your<br>
environment?<br>
<br>
I would start by comparing the time it takes to search the entry in LDAP<br>
or kinit with login through GDM or SSH. Then, if the times differ, look<br>
into SSSD. Some pointers are here:<br>
<a href="https://fedorahosted.org/sssd/wiki/Troubleshooting" rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/wiki/Troubleshooting</a><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
</font></span></blockquote></div><br></div>