Thanks jhrozek, I have already seen it and applied to my IPA server, but it 
didn't have any significant impact, at least for AD users. In krb5kdc log, when 
I try to login with an IPA user in Windows, I can see the next:

Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6 
etypes {18 17 23 24 -135 3}) 172.19.21.37: NEEDED_PREAUTH: 
ipa.u...@ipa.ad.example.com for krbtgt/ipa.ad.example....@ipa.ad.example.com, 
Additional pre-authentication required
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd 
12
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6 
etypes {18 17 23 24 -135 3}) 172.19.21.37: ISSUE: authtime 1454716332, etypes 
{rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for 
krbtgt/ipa.ad.example....@ipa.ad.example.com
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd 
12
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5 
etypes {18 17 23 24 -135}) 172.19.21.37: ISSUE: authtime 1454716332, etypes 
{rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for 
krbtgt/ad.example....@ipa.ad.example.com
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd 
12
Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5 
etypes {18 17 23 24 -135}) 172.19.21.37: ISSUE: authtime 1454716332, etypes 
{rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for 
cifs/master.ipa.ad.example....@ipa.ad.example.com
Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd 
12
Feb 05 17:58:47 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5 
etypes {18 17 23 24 -135}) 172.19.21.37: LOOKING_UP_SERVER: authtime 0,  
ipa.u...@ipa.ad.example.com for 
ProtectedStorage/master.ipa.ad.example....@ipa.ad.example.com, Server not found 
in Kerberos database
Feb 05 17:58:47 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd 
12


In Windows, I can't find something related.

Any other suggestion?


> Date: Fri, 5 Feb 2016 09:33:25 +0100
> From: jhro...@redhat.com
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA-AD Login
> 
> On Thu, Feb 04, 2016 at 01:15:17PM -0600, Alan P wrote:
> > Hi, 
> > 
> > I just configured a trust between an IPA and an Active Directory to 
> > authenticate IPA users in Windows machines joined in AD domain. The login 
> > is successfull, but only after several minutes (nearly 25 minutes) in the 
> > first attempt; in the next attempts, the required time goes from 5 to 10 
> > min. So, what can I do to reduce the time to something more acceptable? 
> > (For reference, when an AD user authenticates it only takes 10 seconds or 
> > less).
> > 
> > My environment is:
> > 
> > IPA server 4.2.0-15 in a RHEL 7.2
> > IPA domain is a subdomain of AD (like ad.example.com and ipa.ad.example.com)
> > There are, right now, a few users but is planed to manage more than 10,000
> > The trust was configured as "two way"
> > 
> > AD is in a Windows Server 2012
> > It has the root domain
> > I  made a domain delegation, so AD is authoritative for ad.example.com and 
> > IPA, for ipa.ad.example.com
> > All windows client machines are joined here
> > There are a few users, but they are only for test purposes
> > 
> > The authentication in a windows client is:
> > user: IPA.AD.EXAMPLE.COM\ipa.user
> > pass: ipa user pass
> > 
> > >From IPA console I can make kinit user...@ad.example.com with no problem.
> 
> Please see:
>     
> https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
> 
> We're working on sssd performance fixes for the next version (1.14, will
> be in RHEL-7.3)
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
                                          
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to