On Fri, Feb 21, 2014 at 1:36 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Bret Wortman wrote: >> >> I'm getting ready to leave for the weekend, and this isn't the kind of >> thing I want to track down on a Friday, but if anyone has any ideas for >> things I should look at come Monday morning, I'd be very appreciative. >> >> I've got a system with 12 replicas, and no matter which IPA server I log >> into and try to run "ipa" CLI commands on (even "ipa help"), I get my >> session terminated. I also tried from a client system that has the >> ipatools rpm installed, and in that case I got bounced out of my sudo'd >> root session. >> >> I need to figure this out because something's obviously amiss, and we >> have discovered a number of systems that are lacking Kerberos keys. I >> was hoping the CLI would provide the mechanism to get them fixed. We're >> also trying to track down a 6-10 second delay every time a user logs in >> using SSSD to authenticate; the password check passes almost instantly, >> but something is taking up an additional bunch of time and my users are >> starting to complain. So I need to get past this so I can debug that. >> >> Thanks, and have a great weekend, all. > > > For the life of me I can't figure out what the ipa command might do that > would log you out. I think brute force might be a way to go with this: > > strace -f o /tmp/out ipa help > > Then go back in and see what happened. > > As for login delay you may want to pick a client system and bump up the sssd > debug level and see if that provides any clues. > I would also run ldapsearch in the client after you manually kinit'ed, to see which part of the show is boink.
> rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users