[Freeipa-users] Very slow enrolment process

Rob Crittenden rcritten at redhat.com
Mon Aug 22 14:48:31 UTC 2016 

Petr Spacek wrote:
> On 22.8.2016 03:42, William Muriithi wrote:
>> Hello,
>>
>> I have systems that were previously using openLDAP and plan to migrate
>> them to freeIPA.  I have a problem I have been struggling with since
>> Thursday.  The client take 10 to 15 minutes to finish the enrolment
>> process.
>>
>> I can't find anything in the logs, have disabled nscd, the DNS and
>> hostname is set up write and nothing on the message logs point me to
>> the problem.  Have put se-linux to permissive and done all the basic
>> checks I can think of.
>>
>> Its always stalling at this point. What usually happen after the end
>> of the log below?
>>
>> ---
>>
>> 2016-08-22T01:12:07Z INFO Synchronizing time with KDC...
>>
>> 2016-08-22T01:12:07Z DEBUG Search DNS for SRV record of
>> _ntp._udp.eng.example.com.
>>
>> 2016-08-22T01:12:07Z DEBUG DNS record found:
>> DNSResult::name:_ntp._udp.eng.example.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:hydrogen.eng.example.com.}
>>
>> 2016-08-22T01:12:08Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v
>> hydrogen.eng.example.com
>>
>> 2016-08-22T01:12:08Z DEBUG stdout=
>>
>> 2016-08-22T01:12:08Z DEBUG stderr=
>>
>> 2016-08-22T01:12:08Z DEBUG Writing Kerberos configuration to /tmp/tmpYLpzuV:
>>
>> 2016-08-22T01:12:08Z DEBUG #File modified by ipa-client-install
>>
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>>
>> [libdefaults]
>>
>>    default_realm = ENG.EXAMPLE.COM
>>
>>    dns_lookup_realm = false
>>
>>    dns_lookup_kdc = false
>>
>>    rdns = false
>>
>>    ticket_lifetime = 24h
>>
>>    forwardable = yes
>>
>>    udp_preference_limit = 0
>>
>>
>>
>> [realms]
>>
>>    ENG.EXAMPLE.COM = {
>>
>>      kdc = hydrogen.eng.example.com:88
>>
>>      master_kdc = hydrogen.eng.example.com:88
>>
>>      admin_server = hydrogen.eng.example.com:749
>>
>>      default_domain = eng.example.com
>>
>>      pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>>
>>    }
>>
>>
>>
>> [domain_realm]
>>
>>    .eng.example.com = ENG.EXAMPLE.COM
>>
>>    eng.example.com = ENG.EXAMPLE.COM
>
>
> This is interesting. This output is printed right before calling ipa-join
> command so you should see follow-up line "Starting external process".
>
> Is it somewhere in the file?
>
> I cannot imagine where it could hang between write to the krb5.conf file and
> starting ipa-join command...
>

It potentially does a kinit before calling ipa-join depending on the 
options passed in.

What I'd do is strace the install process. This should tell you what 
it's doing.

rob

More information about the Freeipa-users mailing list