[Freeipa-users] IDM/ipa slow login
seli irithyl
seli.irithyl at gmail.com
Thu Aug 13 10:12:03 UTC 2015
In the logs, there is lots of warnings concerning pki tomcat server :
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP
Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting
system-pki\x2dtomcatd.slice.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice
system-pki\x2dtomcatd.slice.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat
Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server
pki-tomcat.
Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used:
/usr/bin/java
Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used:
org.apache.catalina.startup.Bootstrap
Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used:
-DRESTEASY_LIB=/usr/share/java/resteasy-base
Aug 13 09:51:57 lead.bioinf.local server[5213]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djav
Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find
a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a
matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspTimeout' to '10' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching
property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl2Ciphers' to
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl3Ciphers' to
'-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'tlsCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf'
did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find
a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did
not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching
property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslRangeCiphers' to
'-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.tomcat.util.digester.SetPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.tomcat.util.digester.SetPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property.
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
org.apache.coyote.AbstractProtocol init
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
ProtocolHandler ["http-bio-8080"]
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
org.apache.coyote.AbstractProtocol init
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
ProtocolHandler ["http-bio-8443"]
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
org.apache.coyote.AbstractProtocol init
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
org.apache.catalina.startup.Catalina load
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization
processed in 995 ms
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
org.apache.catalina.core.StandardService startInternal
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service
Catalina
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
org.apache.catalina.core.StandardEngine startInternal
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet
Engine: Apache Tomcat/7.0.54
Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
org.apache.catalina.startup.HostConfig deployDescriptor
Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying
configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
Aug 13 09:51:59 lead.bioinf.local server[5213]:
SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
Aug 13 09:51:59 lead.bioinf.local server[5213]:
SSLAuthenticatorWithFallback: Setting container
Aug 13 09:52:01 lead.bioinf.local server[5213]:
SSLAuthenticatorWithFallback: Initializing authenticators
Aug 13 09:52:01 lead.bioinf.local server[5213]:
SSLAuthenticatorWithFallback: Starting authenticators
Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM
org.apache.catalina.startup.HostConfig deployDescriptor
Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of
configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has
finished in 13,391 ms
Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM
org.apache.catalina.startup.HostConfig deployDescriptor
Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying
configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
org.apache.jasper.EmbeddedServletOptions <init>
Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir you
specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is unusable.
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
org.apache.catalina.startup.HostConfig deployDescriptor
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of
configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has
finished in 2,683 ms
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
org.apache.coyote.AbstractProtocol start
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
ProtocolHandler ["http-bio-8080"]
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
org.apache.coyote.AbstractProtocol start
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
ProtocolHandler ["http-bio-8443"]
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
org.apache.coyote.AbstractProtocol start
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
org.apache.catalina.startup.Catalina start
Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in
17320 ms
May this be related to my slow login problem ?
On Wed, Aug 12, 2015 at 5:21 PM, seli irithyl <seli.irithyl at gmail.com>
wrote:
>
> if I ssh with an ipa user, authentication hangs on "we sent a
> gssapi-with-mic packet, wait for reply" from 5s to 10s
> if I ssh with local user, auth is nearly immediate (less than 1s)
>
>
> From a client :
> [test at argon ~]$ time id test
> uid=1713400050(test) gid=1713400050(test)
> groups=1713400050(test),1713400004(bioinfo)
>
> real 0m2.269s
> user 0m0.001s
> sys 0m0.004s
>
> [test at argon ~]$ time id test
> uid=1713400050(test) gid=1713400050(test)
> groups=1713400050(test),1713400004(bioinfo)
>
> real 0m0.005s
> user 0m0.002s
> sys 0m0.003s
>
>
> [test at argon ~]$ time ipa user-find test
> --------------
> 1 user matched
> --------------
> User login: test
> First name: test
> Last name: user
> Home directory: /home/test
> Login shell: /bin/bash
> Email address: test at bioinf.local
> UID: 1713400050
> GID: 1713400050
> Account disabled: False
> Password: True
> Kerberos keys available: True
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> real 0m1.464s
> user 0m0.348s
> sys 0m0.062s
>
>
> Following the guide you sent me:
> On the server:
>
> [root at lead sssd]# systemctl status sssd
> sssd.service - System Security Services Daemon
> Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
> Drop-In: /etc/systemd/system/sssd.service.d
> └─journal.conf
> Active: active (running) since Wed 2015-08-12 16:55:50 CEST; 11min ago
> Process: 6495 ExecStart=/usr/sbin/sssd -D -f (code=exited,
> status=0/SUCCESS)
> Main PID: 6496 (sssd)
> CGroup: /system.slice/sssd.service
> ├─6496 /usr/sbin/sssd -D -f
> ├─6497 /usr/libexec/sssd/sssd_be --domain bioinf.local --uid 0
> --gid 0 --debug-to-files
> ├─6498 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0
> --debug-to-files
> ├─6499 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0
> --debug-to-files
> ├─6500 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0
> --debug-to-files
> ├─6501 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0
> --debug-to-files
> ├─6502 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
> --debug-to-files
> └─6503 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0
> --debug-to-files
>
> Aug 12 16:55:50 lead.bioinf.local sssd[autofs][6500]: Starting up
> Aug 12 16:55:50 lead.bioinf.local sssd[pam][6499]: Starting up
> Aug 12 16:55:50 lead.bioinf.local sssd[sudo][6502]: Starting up
> Aug 12 16:55:50 lead.bioinf.local sssd[ssh][6501]: Starting up
> Aug 12 16:55:50 lead.bioinf.local sssd[pac][6503]: Starting up
> Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1
> Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1
> Aug 12 16:55:50 lead.bioinf.local systemd[1]: Started System Security
> Services Daemon.
> Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1
> Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 2
>
>
> [root at lead sssd]# more /etc/nsswitch.conf
> passwd: files sss
> shadow: files sss
> group: files sss
> #initgroups: files
>
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
>
> netgroup: files sss
>
> publickey: nisplus
>
> automount: files
>
> aliases: files
>
>
> [root at lead sssd]# date
> Wed Aug 12 17:09:50 CEST 2015
> [root at lead sssd]# systemctl restart sssd
> [root at lead sssd]# getent passwd test
> test:*:1713400050:1713400050:test user:/home/test:/bin/bash
>
>
> sssd_nss.log:
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_responder_ctx_destructor]
> (0x0400): Responder is being shut down
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB:
> /var/lib/sss/db/config.ldb
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [confdb_get_domain_internal]
> (0x0400): No enumeration for [bioinf.local]!
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400):
> Adding connection 0x7ff00ae60ec0
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [monitor_common_send_id] (0x0100):
> Sending ID: (nss,1)
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args]
> (0x0100): Using re
> [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using
> fq format [%1$s@%2$s].
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400):
> Adding connection 0x7ff00ae60b00
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_common_send_id] (0x0100):
> Sending ID to DP: (1,NSS)
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sysdb_domain_init_internal]
> (0x0200): DB File for bioinf.local: /var/lib/sss/db/cache_bioinf.local.ldb
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to
> register control with rootdse!
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_process_init] (0x0400):
> Responder Initialization complete
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'root' matched without domain, user is root
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/USER/bioinf.local/root] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'polkitd' matched without domain, user is polkitd
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/USER/bioinf.local/polkitd] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'avahi' matched without domain, user is avahi
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/USER/bioinf.local/avahi] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'colord' matched without domain, user is colord
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/USER/bioinf.local/colord] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'rtkit' matched without domain, user is rtkit
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/USER/bioinf.local/rtkit] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'pulse' matched without domain, user is pulse
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/USER/bioinf.local/pulse] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'gdm' matched without domain, user is gdm
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/USER/bioinf.local/gdm] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'postfix' matched without domain, user is postfix
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/USER/bioinf.local/postfix] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'root' matched without domain, user is root
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/GROUP/bioinf.local/root] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'polkitd' matched without domain, user is polkitd
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/GROUP/bioinf.local/polkitd] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'avahi' matched without domain, user is avahi
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/GROUP/bioinf.local/avahi] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'colord' matched without domain, user is colord
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/GROUP/bioinf.local/colord] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'rtkit' matched without domain, user is rtkit
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/GROUP/bioinf.local/rtkit] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'pulse' matched without domain, user is pulse
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/GROUP/bioinf.local/pulse] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'gdm' matched without domain, user is gdm
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/GROUP/bioinf.local/gdm] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'postfix' matched without domain, user is postfix
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
> Adding [NCE/GROUP/bioinf.local/postfix] to negative cache permanently
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400):
> Found shell /bin/sh in /etc/shells
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400):
> Found shell /bin/bash in /etc/shells
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400):
> Found shell /sbin/nologin in /etc/shells
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400):
> Found shell /usr/bin/sh in /etc/shells
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400):
> Found shell /usr/bin/bash in /etc/shells
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400):
> Found shell /usr/sbin/nologin in /etc/shells
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400):
> Found shell /bin/tcsh in /etc/shells
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400):
> Found shell /bin/csh in /etc/shells
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100):
> Maximum file descriptors set to [8192]
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args]
> (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using
> fq format [%1$s@%2$s].
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS
> Initialization complete
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400):
> Issuing request for [0x7ff00a44a670:domains at bioinf.local]
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400):
> Sending get domains request for [bioinf.local][]
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_internal_get_send]
> (0x0400): Entering request [0x7ff00a44a670:domains at bioinf.local]
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id
> ack and version (1) from DP
> (Wed Aug 12 17:09:56 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack
> and version (1) from Monitor
> (Wed Aug 12 17:09:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
> Deleting request: [0x7ff00a44a670:domains at bioinf.local]
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [accept_fd_handler] (0x0400):
> Client connected!
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
> Received client version [1].
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
> Offered version [1].
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
> Running command [17] with input [root].
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'root' matched without domain, user is root
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [root] from [<ALL>]
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400):
> User [root] does not exist in [bioinf.local]! (negative cache)
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080):
> No matching domain found for [root], fail!
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
> Running command [38] with input [root].
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'root' matched without domain, user is root
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [root] from [<ALL>]
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search]
> (0x0400): User [root] does not exist in [bioinf.local]! (negative cache)
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search]
> (0x0080): No matching domain found for [root], fail!
> (Wed Aug 12 17:10:01 2015) [sssd[nss]] [client_recv] (0x0200): Client
> disconnected!
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [accept_fd_handler] (0x0400):
> Client connected!
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
> Received client version [1].
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
> Offered version [1].
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
> Running command [17] with input [test].
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'test' matched without domain, user is test
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [test] from [<ALL>]
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
> Requesting info for [test at bioinf.local]
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [check_cache] (0x0400): Cached
> entry is valid, returning..
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400):
> Returning info for user [test at bioinf.local]
> (Wed Aug 12 17:10:02 2015) [sssd[nss]] [client_recv] (0x0200): Client
> disconnected!
>
> sssd.conf:
> [sssd]
> debug_level = 6
> config_file_version = 2
> services = nss, pam, autofs, ssh, sudo
> domains = bioinf.local
>
> [nss]
> debug_level = 6
> filter_users = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix
> filter_groups = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix
> reconnection_retries = 3
> entry_cache_timeout = 300
> entry_cache_nowait_percentage = 75
>
> [pam]
> debug_level = 6
>
> [domain/bioinf.local]
> enumerate = false
> debug_level = 6
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = bioinf.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = lead.bioinf.local
> chpass_provider = ipa
> ipa_server = _srv_, lead.bioinf.local
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> krb5_lifetime = 1d
> krb5_renewable_lifetime = 7d
> krb5_renew_interval = 3600
>
>
> [ssh]
> debug_level = 6
>
> [autofs]
> debug_level = 6
>
> [sudo]
>
>
> On Tue, Aug 11, 2015 at 1:39 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote:
>> > Hi,
>> >
>> > I inherited a server (the guy that built it left) running centos 7 and
>> > Identity Management (Kerberos, 389DS, ...) with NFS.
>> > Everything concerning login (with network accounts) is very slow (
>> several
>> > seconds)
>> > I already solved a lot of problems on this server(DNS, NTP, firewall,
>> ...),
>> > but I am neither a sysadmin nor a linux guru and I don't know where and
>> > what to look for ?
>> > Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ...
>>
>> Can you define "slow" better? Can you estimate how big is your
>> environment?
>>
>> I would start by comparing the time it takes to search the entry in LDAP
>> or kinit with login through GDM or SSH. Then, if the times differ, look
>> into SSSD. Some pointers are here:
>> https://fedorahosted.org/sssd/wiki/Troubleshooting
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150813/ec7bac77/attachment.htm>
More information about the Freeipa-users
mailing list