[Freeipa-users] IDM/ipa slow login
seli irithyl
seli.irithyl at gmail.com
Mon Aug 17 07:57:00 UTC 2015
Hi John, Jakub,
I added "selinux_provider = none" to the sssd.conf (as recommended by john)
and then restarted the service .... and it seems to solve the problem
(almost) !!! Logins are near as fast as when using local users.
What are the consequences when I add this line concerning security ?
Jakub, you're talking about a bug, is there's a patch to remove it or do I
have to wait for an sssd/ipa upgrade ?
Maybe I'll try to understand why is it complaining "Could not parse domain
SID from [(null)]" and looking for groups that does not exist in the ldap
database.
Anyway, thanks a lot for your time and help !
seli
On Sun, Aug 16, 2015 at 6:09 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
> > On 13 Aug 2015, at 22:57, John Obaterspok <john.obaterspok at gmail.com>
> wrote:
> >
> > Hi Seli,
> >
> > In /etc/sssd/sssd.conf add below:
> > selinux_provider=none
>
> Hmm, good idea. I forgot the version OP was using, but yet -- at one point
> we had a bug where the selinux_child would be invoked even if the context
> didn't change which would be slow. We fixed that error since, but chances
> are Seli is still running the affected version.
>
> > to the domain section. Then restart sssd.
> >
> > -- john
> >
> >
> > 2015-08-13 16:23 GMT+02:00 seli irithyl <seli.irithyl at gmail.com>:
> > Here's the sssd_domain log part during an ssh
> >
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [be_get_account_info] (0x0200): Got request for [0x3][1][name=test]
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain]
> (0x0400): Changing request domain from [bioinf.local] to [bioinf.local]
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_get_initgr_next_base] (0x0400): Searching for users with base
> [cn=accounts,dc=bioinf,dc=local]
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
> (0x0400): Save user
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_get_primary_name] (0x0400): Processing object test
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
> (0x0400): Processing user test
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
> (0x0400): Adding original memberOf attributes to [test].
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
> (0x0400): Adding user principal [test at BIOINF.LOCAL] to attributes of
> [test].
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user]
> (0x0400): Storing info for user test
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_get_primary_name] (0x0400): Processing object test
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
> > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_primary_name] (0x0400): Processing object ipausers
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_primary_name] (0x0400): Processing object bioinfo
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_groups_next_base] (0x0400): Searching for groups with base
> [cn=accounts,dc=bioinf,dc=local]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_nested_group_recv] (0x0400): 0 users found in the hash table
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_primary_name] (0x0400): Processing object test
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group]
> (0x0400): Processing group test
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_process_ghost_members] (0x0400): The group has 0 members
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_process_ghost_members] (0x0400): Group has 0 members
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group]
> (0x0400): Storing info for group test
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_primary_name] (0x0400): Processing object test
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem]
> (0x0400): Processing group test
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem]
> (0x0400): Failed to get group sid
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem]
> (0x0400): No members for group [test]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:bioinf.local:52e6beb4-158e-11e5-b14d-000af77e6812))][cn=Default
> Trust View,cn=views,cn=accounts,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32),
> no errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_req_set_domain]
> (0x0400): Changing request domain from [bioinf.local] to [bioinf.local]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler]
> (0x0100): Got request with the following data
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): command: PAM_ACCT_MGMT
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): domain: bioinf.local
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): user: test
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): service: sshd
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): tty: ssh
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): ruser:
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): rhost: copper.bioinf.local
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): authtok type: 0
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): newauthtok type: 0
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): priv: 1
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): cli_pid: 44307
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): logon name: not set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_access_send]
> (0x0400): Performing access check for user [test]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user
> [test]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectClass=ipaHost)(fqdn=lead.bioinf.local))][cn=accounts,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_x_deref_search_send] (0x0400): Dereferencing entry
> [fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local] using
> OpenLDAP deref
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
> filter][fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_x_deref_parse_entry] (0x0400): Got deref control
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_x_deref_parse_entry] (0x0400): All deref results from a single
> control parsed
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [ipa_hbac_service_info_next] (0x0400): Sending request for next search
> base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACService)]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(objectClass=ipaHBACService)][cn=hbac,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search
> base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACServiceGroup)]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base:
> [cn=hbac,dc=bioinf,dc=local][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))][cn=hbac,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category]
> (0x0200): Category is set to 'all'.
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category]
> (0x0200): Category is set to 'all'.
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category]
> (0x0200): Category is set to 'all'.
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule
> [allow_all]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
> [Success]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with
> following parameters:
> [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local]
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local].
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
> [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [write_pipe_handler]
> (0x0400): All data has been sent!
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [child_sig_handler]
> (0x0100): child [44309] finished successfully.
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [read_pipe_handler]
> (0x0400): EOF received, client finished
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
> [Success]
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]]
> [be_pam_handler_callback] (0x0100): Sending result [0][bioinf.local]
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]]
> [be_pam_handler_callback] (0x0100): Sent result [0][bioinf.local]
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_req_set_domain]
> (0x0400): Changing request domain from [bioinf.local] to [bioinf.local]
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler]
> (0x0100): Got request with the following data
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): command: PAM_OPEN_SESSION
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): domain: bioinf.local
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): user: test
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): service: sshd
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): tty: ssh
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): ruser:
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): rhost: copper.bioinf.local
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): authtok type: 0
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): newauthtok type: 0
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): priv: 1
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): cli_pid: 44307
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data]
> (0x0100): logon name: not set
> > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler]
> (0x0100): Sending result [0][bioinf.local]
> >
> > why is there such message : Could not parse domain SID from [(null)] ? I
> thought SID was related to AD ?
> > Is it normal that:
> > some messages seems duplicated ?
> > SELinux user maps were not found ?
> >
> > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem]
> (0x0400): No members for group [test]
> > Looking in the UI, the "test" group does not exist
> > Moreover the "trust admins" and "ipausers" dont have GID
> >
> > Thanks for all
> >
> > On Thu, Aug 13, 2015 at 1:05 PM, Jakub Hrozek <jhrozek at redhat.com>
> wrote:
> > On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote:
> > > In the logs, there is lots of warnings concerning pki tomcat server :
> > >
> > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP
> > > Server.
> > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting
> > > system-pki\x2dtomcatd.slice.
> > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice
> > > system-pki\x2dtomcatd.slice.
> > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat
> Server.
> > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat
> > > Server.
> > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat
> Server
> > > pki-tomcat...
> > > Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server
> > > pki-tomcat.
> > > Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine
> used:
> > > /usr/bin/java
> > > Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used:
> > >
> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
> > > Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used:
> > > org.apache.catalina.startup.Bootstrap
> > > Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used:
> > > -DRESTEASY_LIB=/usr/share/java/resteasy-base
> > > Aug 13 09:51:57 lead.bioinf.local server[5213]: options used:
> > > -Dcatalina.base=/var/lib/pki/pki-tomcat
> -Dcatalina.home=/usr/share/tomcat
> > > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
> > >
> -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
> > > -Djav
> > > Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'enableOCSP' to 'false' did not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not
> find
> > > a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not
> find a
> > > matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'ocspCacheSize' to '1000' did not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'ocspMinCacheEntryDuration' to '60' did not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'ocspTimeout' to '10' did not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'strictCiphers' to 'true' did not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching
> > > property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'ssl2Ciphers' to
> > >
> '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'ssl3Ciphers' to
> > >
> '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'tlsCiphers' to
> > >
> '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'serverCertNickFile' to
> '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf'
> > > did not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
> find
> > > a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
> did
> > > not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
> > > property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching
> property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching
> > > property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'sslRangeCiphers' to
> > >
> '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > > 'xmlValidation' to 'false' did not find a matching property.
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
> > > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
> > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > > 'xmlNamespaceAware' to 'false' did not find a matching property.
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> > > org.apache.coyote.AbstractProtocol init
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
> > > ProtocolHandler ["http-bio-8080"]
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> > > org.apache.coyote.AbstractProtocol init
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
> > > ProtocolHandler ["http-bio-8443"]
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> > > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> > > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> > > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> > > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> > > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> > > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> > > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher
> > > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> > > org.apache.coyote.AbstractProtocol init
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing
> > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> > > org.apache.catalina.startup.Catalina load
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization
> > > processed in 995 ms
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> > > org.apache.catalina.core.StandardService startInternal
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service
> > > Catalina
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> > > org.apache.catalina.core.StandardEngine startInternal
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet
> > > Engine: Apache Tomcat/7.0.54
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM
> > > org.apache.catalina.startup.HostConfig deployDescriptor
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying
> > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]:
> > > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
> > > Aug 13 09:51:59 lead.bioinf.local server[5213]:
> > > SSLAuthenticatorWithFallback: Setting container
> > > Aug 13 09:52:01 lead.bioinf.local server[5213]:
> > > SSLAuthenticatorWithFallback: Initializing authenticators
> > > Aug 13 09:52:01 lead.bioinf.local server[5213]:
> > > SSLAuthenticatorWithFallback: Starting authenticators
> > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM
> > > org.apache.catalina.startup.HostConfig deployDescriptor
> > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of
> > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
> has
> > > finished in 13,391 ms
> > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM
> > > org.apache.catalina.startup.HostConfig deployDescriptor
> > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying
> > > configuration descriptor
> /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> > > org.apache.jasper.EmbeddedServletOptions <init>
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir
> you
> > > specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is
> unusable.
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> > > org.apache.catalina.startup.HostConfig deployDescriptor
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of
> > > configuration descriptor
> /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has
> > > finished in 2,683 ms
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> > > org.apache.coyote.AbstractProtocol start
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
> > > ProtocolHandler ["http-bio-8080"]
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> > > org.apache.coyote.AbstractProtocol start
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
> > > ProtocolHandler ["http-bio-8443"]
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> > > org.apache.coyote.AbstractProtocol start
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting
> > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM
> > > org.apache.catalina.startup.Catalina start
> > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in
> > > 17320 ms
> > >
> > > May this be related to my slow login problem ?
> >
> > I don't think so. You really need to look into the sssd domain log,
> > check what requests (getAccountInfo) take the longest.
> >
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150817/cf8fecef/attachment.htm>
More information about the Freeipa-users
mailing list