[Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts
Sumit Bose
sbose at redhat.com
Wed Feb 12 12:02:00 UTC 2014
On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote:
> Sure:
>
...
> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879]]]] [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.corp at MIOLINUX.CORP].
> (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879]]]] [become_user]
> (0x0200): Trying to become user [799001323][799001323].
...
> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:16:35 2014) [[sssd[krb5_child[9929]]]] [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.corp at MIOLINUX.CORP].
> (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929]]]] [become_user]
> (0x0200): Trying to become user [799001323][799001323].
...
> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960]]]] [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.corp at MIOLINUX.CORP].
> (Mon Feb 10 10:17:01 2014) [[sssd[krb5_child[9960]]]] [become_user]
> (0x0200): Trying to become user [799001323][799001323].
...
> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:17:30 2014) [[sssd[krb5_child[10018]]]] [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.corp at MIOLINUX.CORP].
> (Mon Feb 10 10:17:34 2014) [[sssd[krb5_child[10018]]]] [become_user]
> (0x0200): Trying to become user [799001323][799001323].
as you can see the time is spend to validate the ticket. For a user from
a trusted domain this includes a request for a cross-realm TGT to a AD
server and then a request to an IPA KDC for a service ticket for the
local host. With debug_level 9 and higher the libkrb5 tracing is
switched on which would in more detail show where the time is lost. It
will also show which AD server is contacted.
You mentioned in your other mail that with a different client the logins
are faster. Are the two clients in the same network segment? Or is there
a chance that the other client is "nearer" to the AD server?
bye,
Sumit
More information about the Freeipa-users
mailing list