[Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts

Steve Dainard sdainard at miovision.com
Wed Feb 12 16:21:36 UTC 2014 

+Ovirt users mailing list - might find this interesting. Quick background:
IPA server with cross-forest trust to Windows domain. Authenticating to
Linux clients with domain kerberos credentials.

I'm hosting CentOS 6.5 as an ovirt guest, and have narrowed this ipa client
slow login issue down to a backend storage cause. If I enable async writes
to NFS the CentOS guest performs as my workstations virtualbox guests
(Ubuntu 13.10/Fedora 20) do on login (quick logins).

The client we are investigating is a CentOS 6.5 machine. I've also done the
same test on a RHEL 6.5 machine with the same results. I've increased the
logging level, log attached. I don't see the DC in the logs anywhere.

I guess from an IPA perspective there is not much to be done, but I wanted
to make sure this thread came to some conclusion for future readers. I
suppose the only thing to question, is why ipa authentication would have
any reliance on disk read/write speed to this extent? Perhaps we are
caching something to disk that should be cached in memory?


*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*

*Blog <http://miovision.com/blog>  |  **LinkedIn
<https://www.linkedin.com/company/miovision-technologies>  |  Twitter
<https://twitter.com/miovision>  |  Facebook
<https://www.facebook.com/miovision>*
------------------------------
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Wed, Feb 12, 2014 at 7:02 AM, Sumit Bose <sbose at redhat.com> wrote:

> On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote:
> > Sure:
> >
>
> ...
>
> > (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> > (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879]]]] [validate_tgt]
> > (0x0400): TGT verified using key for
> > [host/snapshot-test.miolinux.corp at MIOLINUX.CORP].
> > (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879]]]] [become_user]
> > (0x0200): Trying to become user [799001323][799001323].
>
> ...
>
> > (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> > (Mon Feb 10 10:16:35 2014) [[sssd[krb5_child[9929]]]] [validate_tgt]
> > (0x0400): TGT verified using key for
> > [host/snapshot-test.miolinux.corp at MIOLINUX.CORP].
> > (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929]]]] [become_user]
> > (0x0200): Trying to become user [799001323][799001323].
>
> ...
>
> > (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> > (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960]]]] [validate_tgt]
> > (0x0400): TGT verified using key for
> > [host/snapshot-test.miolinux.corp at MIOLINUX.CORP].
> > (Mon Feb 10 10:17:01 2014) [[sssd[krb5_child[9960]]]] [become_user]
> > (0x0200): Trying to become user [799001323][799001323].
>
> ...
>
> > (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> > (Mon Feb 10 10:17:30 2014) [[sssd[krb5_child[10018]]]] [validate_tgt]
> > (0x0400): TGT verified using key for
> > [host/snapshot-test.miolinux.corp at MIOLINUX.CORP].
> > (Mon Feb 10 10:17:34 2014) [[sssd[krb5_child[10018]]]] [become_user]
> > (0x0200): Trying to become user [799001323][799001323].
>
> as you can see the time is spend to validate the ticket. For a user from
> a trusted domain this includes a request for a cross-realm TGT to a AD
> server and then a request to an IPA KDC for a service ticket for the
> local host. With debug_level 9 and higher the libkrb5 tracing is
> switched on which would in more detail show where the time is lost. It
> will also show which AD server is contacted.
>
> You mentioned in your other mail that with a different client the logins
> are faster. Are the two clients in the same network segment? Or is there
> a chance that the other client is "nearer" to the AD server?
>
> bye,
> Sumit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140212/dff5aa13/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rhel6-client.sssd_miolinux.corp.log
Type: text/x-log
Size: 285563 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140212/dff5aa13/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: centos6-client.sssd_miolinux.corp.log
Type: text/x-log
Size: 147329 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140212/dff5aa13/attachment-0001.bin>

More information about the Freeipa-users mailing list