On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote: > Sure: >
... > (0x0400): Attempting kinit for realm [MIOVISION.CORP] > (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879]]]] [validate_tgt] > (0x0400): TGT verified using key for > [host/snapshot-test.miolinux.c...@miolinux.corp]. > (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879]]]] [become_user] > (0x0200): Trying to become user [799001323][799001323]. ... > (0x0400): Attempting kinit for realm [MIOVISION.CORP] > (Mon Feb 10 10:16:35 2014) [[sssd[krb5_child[9929]]]] [validate_tgt] > (0x0400): TGT verified using key for > [host/snapshot-test.miolinux.c...@miolinux.corp]. > (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929]]]] [become_user] > (0x0200): Trying to become user [799001323][799001323]. ... > (0x0400): Attempting kinit for realm [MIOVISION.CORP] > (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960]]]] [validate_tgt] > (0x0400): TGT verified using key for > [host/snapshot-test.miolinux.c...@miolinux.corp]. > (Mon Feb 10 10:17:01 2014) [[sssd[krb5_child[9960]]]] [become_user] > (0x0200): Trying to become user [799001323][799001323]. ... > (0x0400): Attempting kinit for realm [MIOVISION.CORP] > (Mon Feb 10 10:17:30 2014) [[sssd[krb5_child[10018]]]] [validate_tgt] > (0x0400): TGT verified using key for > [host/snapshot-test.miolinux.c...@miolinux.corp]. > (Mon Feb 10 10:17:34 2014) [[sssd[krb5_child[10018]]]] [become_user] > (0x0200): Trying to become user [799001323][799001323]. as you can see the time is spend to validate the ticket. For a user from a trusted domain this includes a request for a cross-realm TGT to a AD server and then a request to an IPA KDC for a service ticket for the local host. With debug_level 9 and higher the libkrb5 tracing is switched on which would in more detail show where the time is lost. It will also show which AD server is contacted. You mentioned in your other mail that with a different client the logins are faster. Are the two clients in the same network segment? Or is there a chance that the other client is "nearer" to the AD server? bye, Sumit _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users