<div dir="ltr">In the logs, there is lots of warnings concerning pki tomcat server :<br>
<br>
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP Server.<br>
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting system-pki\x2dtomcatd.slice.<br>
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice system-pki\x2dtomcatd.slice.<br>
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server.<br>
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat Server.<br>
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server pki-tomcat...<br>
Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server pki-tomcat.<br>
Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used: /usr/bin/java<br>
Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar<br>
Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: org.apache.catalina.startup.Bootstrap<br>
Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base<br>
Aug 13 09:51:57 lead.bioinf.local server[5213]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djav<br>
Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to '<a href="http://lead.bioinf.local:9080/ca/ocsp">http://lead.bioinf.local:9080/ca/ocsp</a>' did not
find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not
find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspTimeout' to '10' did not find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching
property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl2Ciphers' to
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl3Ciphers' to
'-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'tlsCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to
'/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
did not find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching
property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching
property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.catalina.startup.SetAllPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslRangeCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.tomcat.util.digester.SetPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM org.apache.tomcat.util.digester.SetPropertiesRule begin<br>
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property.<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.coyote.AbstractProtocol init<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing ProtocolHandler ["http-bio-8080"]<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.coyote.AbstractProtocol init<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing ProtocolHandler ["http-bio-8443"]<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.coyote.AbstractProtocol init<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"]<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.catalina.startup.Catalina load<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization processed in 995 ms<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.catalina.core.StandardService startInternal<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service Catalina<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.catalina.core.StandardEngine startInternal<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM org.apache.catalina.startup.HostConfig deployDescriptor<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying
configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback<br>
Aug 13 09:51:59 lead.bioinf.local server[5213]: SSLAuthenticatorWithFallback: Setting container<br>
Aug 13 09:52:01 lead.bioinf.local server[5213]: SSLAuthenticatorWithFallback: Initializing authenticators<br>
Aug 13 09:52:01 lead.bioinf.local server[5213]: SSLAuthenticatorWithFallback: Starting authenticators<br>
Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM org.apache.catalina.startup.HostConfig deployDescriptor<br>
Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of
configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
has finished in 13,391 ms<br>
Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM org.apache.catalina.startup.HostConfig deployDescriptor<br>
Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying
configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.jasper.EmbeddedServletOptions <init><br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir
you specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is
unusable.<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.catalina.startup.HostConfig deployDescriptor<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of
configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml
has finished in 2,683 ms<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.coyote.AbstractProtocol start<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting ProtocolHandler ["http-bio-8080"]<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.coyote.AbstractProtocol start<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting ProtocolHandler ["http-bio-8443"]<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.coyote.AbstractProtocol start<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"]<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM org.apache.catalina.startup.Catalina start<br>
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in 17320 ms<br>
<br>
May this be related to my slow login problem ?</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 12, 2015 at 5:21 PM, seli irithyl <span dir="ltr"><<a href="mailto:seli.irithyl@gmail.com" target="_blank">seli.irithyl@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br>
if I ssh with an ipa user, authentication hangs on "we sent a
gssapi-with-mic packet, wait for reply" from 5s to 10s<br>
if I ssh with local user, auth is nearly immediate (less than 1s)<br>
<br>
<br>
From a client :<br>
[test@argon ~]$ time id test<br>
uid=1713400050(test) gid=1713400050(test)
groups=1713400050(test),1713400004(bioinfo)<br>
<br>
real 0m2.269s<br>
user 0m0.001s<br>
sys 0m0.004s<br>
<br>
[test@argon ~]$ time id test<br>
uid=1713400050(test) gid=1713400050(test)
groups=1713400050(test),1713400004(bioinfo)<br>
<br>
real 0m0.005s<br>
user 0m0.002s<br>
sys 0m0.003s<br>
<br>
<br>
[test@argon ~]$ time ipa user-find test<br>
--------------<br>
1 user matched<br>
--------------<br>
User login: test<br>
First name: test<br>
Last name: user<br>
Home directory: /home/test<br>
Login shell: /bin/bash<br>
Email address: <a href="mailto:test@bioinf.local" target="_blank">test@bioinf.local</a><br>
UID: 1713400050<br>
GID: 1713400050<br>
Account disabled: False<br>
Password: True<br>
Kerberos keys available: True<br>
----------------------------<br>
Number of entries returned 1<br>
----------------------------<br>
<br>
real 0m1.464s<br>
user 0m0.348s<br>
sys 0m0.062s<br>
<br>
<br>
Following the guide you sent me:<br>
On the server:<br>
<br>
[root@lead sssd]# systemctl status sssd <br>
sssd.service - System Security Services Daemon<br>
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)<br>
Drop-In: /etc/systemd/system/sssd.service.d<br>
└─journal.conf<br>
Active: active (running) since Wed 2015-08-12 16:55:50 CEST;
11min ago<br>
Process: 6495 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)<br>
Main PID: 6496 (sssd)<br>
CGroup: /system.slice/sssd.service<br>
├─6496 /usr/sbin/sssd -D -f<br>
├─6497 /usr/libexec/sssd/sssd_be --domain bioinf.local
--uid 0 --gid 0 --debug-to-files<br>
├─6498 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0
--debug-to-files<br>
├─6499 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0
--debug-to-files<br>
├─6500 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0
--debug-to-files<br>
├─6501 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0
--debug-to-files<br>
├─6502 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
--debug-to-files<br>
└─6503 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0
--debug-to-files<br>
<br>
Aug 12 16:55:50 lead.bioinf.local sssd[autofs][6500]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd[pam][6499]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd[sudo][6502]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd[ssh][6501]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd[pac][6503]: Starting up<br>
Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step
1<br>
Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step
1<br>
Aug 12 16:55:50 lead.bioinf.local systemd[1]: Started System
Security Services Daemon.<br>
Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step
1<br>
Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step
2<br>
<br>
<br>
[root@lead sssd]# more /etc/nsswitch.conf<br>
passwd: files sss<br>
shadow: files sss<br>
group: files sss<br>
#initgroups: files<br>
<br>
#hosts: db files nisplus nis dns<br>
hosts: files dns<br>
<br>
# Example - obey only what nisplus tells us...<br>
#services: nisplus [NOTFOUND=return] files<br>
#networks: nisplus [NOTFOUND=return] files<br>
#protocols: nisplus [NOTFOUND=return] files<br>
#rpc: nisplus [NOTFOUND=return] files<br>
#ethers: nisplus [NOTFOUND=return] files<br>
#netmasks: nisplus [NOTFOUND=return] files<br>
<br>
bootparams: nisplus [NOTFOUND=return] files<br>
<br>
ethers: files<br>
netmasks: files<br>
networks: files<br>
protocols: files<br>
rpc: files<br>
services: files sss<br>
<br>
netgroup: files sss<br>
<br>
publickey: nisplus<br>
<br>
automount: files<br>
<br>
aliases: files <br>
<br>
<br>
[root@lead sssd]# date<br>
Wed Aug 12 17:09:50 CEST 2015<br>
[root@lead sssd]# systemctl restart sssd<br>
[root@lead sssd]# getent passwd test<br>
test:*:1713400050:1713400050:test user:/home/test:/bin/bash<br>
<br>
<br>
sssd_nss.log:<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]]
[sss_responder_ctx_destructor] (0x0400): Responder is being shut
down<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [server_setup] (0x0400):
CONFDB: /var/lib/sss/db/config.ldb<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [confdb_get_domain_internal]
(0x0400): No enumeration for [bioinf.local]!<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection]
(0x0400): Adding connection 0x7ff00ae60ec0<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [monitor_common_send_id]
(0x0100): Sending ID: (nss,1)<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args]
(0x0100): Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100):
Using fq format [%1$s@%2$s].<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection]
(0x0400): Adding connection 0x7ff00ae60b00<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_common_send_id] (0x0100):
Sending ID to DP: (1,NSS)<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sysdb_domain_init_internal]
(0x0200): DB File for bioinf.local:
/var/lib/sss/db/cache_bioinf.local.ldb<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable
to register control with rootdse!<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_process_init] (0x0400):
Responder Initialization complete<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/root] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'polkitd' matched without domain, user is polkitd<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/polkitd] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'avahi' matched without domain, user is avahi<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/avahi] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'colord' matched without domain, user is colord<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/colord] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'rtkit' matched without domain, user is rtkit<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/rtkit] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'pulse' matched without domain, user is pulse<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/pulse] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'gdm' matched without domain, user is gdm<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/gdm] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'postfix' matched without domain, user is postfix<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/USER/bioinf.local/postfix] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/root] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'polkitd' matched without domain, user is polkitd<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/polkitd] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'avahi' matched without domain, user is avahi<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/avahi] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'colord' matched without domain, user is colord<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/colord] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'rtkit' matched without domain, user is rtkit<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/rtkit] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'pulse' matched without domain, user is pulse<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/pulse] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'gdm' matched without domain, user is gdm<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/gdm] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'postfix' matched without domain, user is postfix<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str]
(0x0400): Adding [NCE/GROUP/bioinf.local/postfix] to negative cache
permanently<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /bin/sh in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /bin/bash in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /sbin/nologin in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /usr/bin/sh in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /usr/bin/bash in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /usr/sbin/nologin in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /bin/tcsh in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells]
(0x0400): Found shell /bin/csh in /etc/shells<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [responder_set_fd_limit]
(0x0100): Maximum file descriptors set to [8192]<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args]
(0x0100): Using re
[(?P<name>[^@]+)@?(?P<domain>[^@]*$)].<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100):
Using fq format [%1$s@%2$s].<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_process_init] (0x0400):
NSS Initialization complete<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_issue_request]
(0x0400): Issuing request for [<a href="mailto:0x7ff00a44a670:domains@bioinf.local" target="_blank">0x7ff00a44a670:domains@bioinf.local</a>]<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_get_domains_msg]
(0x0400): Sending get domains request for [bioinf.local][]<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_internal_get_send]
(0x0400): Entering request [<a href="mailto:0x7ff00a44a670:domains@bioinf.local" target="_blank">0x7ff00a44a670:domains@bioinf.local</a>]<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_id_callback] (0x0100):
Got id ack and version (1) from DP<br>
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [id_callback] (0x0100): Got
id ack and version (1) from Monitor<br>
(Wed Aug 12 17:09:59 2015) [sssd[nss]] [sss_dp_req_destructor]
(0x0400): Deleting request: [<a href="mailto:0x7ff00a44a670:domains@bioinf.local" target="_blank">0x7ff00a44a670:domains@bioinf.local</a>]<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [accept_fd_handler] (0x0400):
Client connected!<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version]
(0x0200): Received client version [1].<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version]
(0x0200): Offered version [1].<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [17] with input [root].<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [root] from [<ALL>]<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0400): User [root] does not exist in [bioinf.local]! (negative
cache)<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0080): No matching domain found for [root], fail!<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [38] with input [root].<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [root] from [<ALL>]<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0400): User [root] does not exist in [bioinf.local]! (negative
cache)<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0080): No matching domain found for [root], fail!<br>
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [client_recv] (0x0200):
Client disconnected!<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [accept_fd_handler] (0x0400):
Client connected!<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version]
(0x0200): Received client version [1].<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version]
(0x0200): Offered version [1].<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [17] with input [test].<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'test' matched without domain, user is test<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [test] from [<ALL>]<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0100): Requesting info for [<a href="mailto:test@bioinf.local" target="_blank">test@bioinf.local</a>]<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [check_cache] (0x0400):
Cached entry is valid, returning..<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0400): Returning info for user [<a href="mailto:test@bioinf.local" target="_blank">test@bioinf.local</a>]<br>
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [client_recv] (0x0200):
Client disconnected!<br>
<br>
sssd.conf:<br>
[sssd]<br>
debug_level = 6<br>
config_file_version = 2<br>
services = nss, pam, autofs, ssh, sudo<br>
domains = bioinf.local<br>
<br>
[nss]<br>
debug_level = 6<br>
filter_users = root, polkitd, avahi, colord, rtkit, pulse, gdm,
postfix<br>
filter_groups = root, polkitd, avahi, colord, rtkit, pulse, gdm,
postfix<br>
reconnection_retries = 3<br>
entry_cache_timeout = 300<br>
entry_cache_nowait_percentage = 75<br>
<br>
[pam]<br>
debug_level = 6<br>
<br>
[domain/bioinf.local]<br>
enumerate = false<br>
debug_level = 6<br>
cache_credentials = True<br>
krb5_store_password_if_offline = True<br>
ipa_domain = bioinf.local<br>
id_provider = ipa<br>
auth_provider = ipa<br>
access_provider = ipa<br>
ipa_hostname = lead.bioinf.local<br>
chpass_provider = ipa<br>
ipa_server = _srv_, lead.bioinf.local<br>
ipa_server_mode = True<br>
ldap_tls_cacert = /etc/ipa/ca.crt<br>
krb5_lifetime = 1d<br>
krb5_renewable_lifetime = 7d<br>
krb5_renew_interval = 3600<br>
<br>
<br>
[ssh]<br>
debug_level = 6<br>
<br>
[autofs]<br>
debug_level = 6<br>
<br>
[sudo]<br>
<br>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 11, 2015 at 1:39 PM, Jakub Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote:<br>
> Hi,<br>
><br>
> I inherited a server (the guy that built it left) running centos 7 and<br>
> Identity Management (Kerberos, 389DS, ...) with NFS.<br>
> Everything concerning login (with network accounts) is very slow ( several<br>
> seconds)<br>
> I already solved a lot of problems on this server(DNS, NTP, firewall, ...),<br>
> but I am neither a sysadmin nor a linux guru and I don't know where and<br>
> what to look for ?<br>
> Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ...<br>
<br>
</span>Can you define "slow" better? Can you estimate how big is your<br>
environment?<br>
<br>
I would start by comparing the time it takes to search the entry in LDAP<br>
or kinit with login through GDM or SSH. Then, if the times differ, look<br>
into SSSD. Some pointers are here:<br>
<a href="https://fedorahosted.org/sssd/wiki/Troubleshooting" rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/wiki/Troubleshooting</a><br>
<span><font color="#888888"><br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>