Re: [Freeipa-users] Difficulty installing freeipa

Tue, 07 Jun 2011 15:14:28 -0700 

I'm not using a VM, I'm using a workstation dedicated to just FreeIPA.  It has 
4GB memory.
Which logs are you interested in?  I've been looking through all I can find and 
have seen nothing relevant.

-Brian

[root@freeipa ~]# free
             total       used       free     shared    buffers     cached
Mem:       3989324    2043720    1945604          0     219368    1202000
-/+ buffers/cache:     622352    3366972
Swap:      8191992          0    8191992
[root@freeipa ~]#

load average: 0.00, 0.05, 0.05


[root@freeipa ~]# date ; time ipa-finduser admin
Tue Jun  7 14:46:59 PDT 2011
Home Directory: /home/admin
Login Shell: /bin/bash
Last Name: Administrator
Login: admin

real    0m20.688s
user    0m0.072s
sys    0m0.022s


[root@freeipa ~]# tail -3 /var/log/ipa_error.log
2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal 
'[email protected]'
2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal 
'[email protected]'
2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal 
'[email protected]'

[root@freeipa ~]# tail -5 /var/log/krb5kdc.log
Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, [email protected] for krbtgt/[email protected]
Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, [email protected] for krbtgt/[email protected]
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 
17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, [email protected] for ldap/[email protected]
Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes 
{18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 
ses=18}, [email protected] for krbtgt/[email protected]

[root@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access
[07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 
etime=0
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" 
scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))([email protected]))"
 attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey 
krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration 
krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference 
krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount 
krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData 
krbObjectReferences krballowedtodelegateto"
[07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 
etime=0

[root@freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests

[root@freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors
[07/Jun/2011:14:12:02 -0700] - All database threads now stopped
[07/Jun/2011:14:12:02 -0700] - slapd stopped.
[07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up
[07/Jun/2011:14:12:03 -0700] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS 
requests


On 6/7/11 2:33 PM, "Dmitri Pal" <[email protected]> wrote:

 On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote:
Re: [Freeipa-users] Difficulty installing freeipa
 I continue to work with performance issues.  I went into the krb5.conf and 
changed dns_lookup_kdc from true to false.  Kinit now responds immediately.  
It's cut the time on "ipa-finduser admin" from 2m30s down to 18-20s.  How fast 
"should" this respond?


 It should be a matter of less than a second.
 Are you using a VM to test? Does it have enough memory?
 It is really hard to say what exactly is causing your delays.
 IPA does a lot of name resolution. Delays usually related to that. By turning 
off the name resolution against DNS in Kerberos you reduced number of the 
lookups but probably not eliminated all of them. I suggest you continue looking 
into the name resolution more.
 This is the best we can say without any logs or specific configurations. Sorry.

 Thanks
 Dmitri

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to