On Fri, Feb 05, 2016 at 06:21:56PM -0600, Alan P wrote:
> Thanks jhrozek, I have already seen it and applied to my IPA server, but it 
> didn't have any significant impact, at least for AD users. In krb5kdc log, 
> when I try to login with an IPA user in Windows, I can see the next:
> 
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6 
> etypes {18 17 23 24 -135 3}) 172.19.21.37: NEEDED_PREAUTH: 
> ipa.u...@ipa.ad.example.com for krbtgt/ipa.ad.example....@ipa.ad.example.com, 
> Additional pre-authentication required
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down 
> fd 12
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6 
> etypes {18 17 23 24 -135 3}) 172.19.21.37: ISSUE: authtime 1454716332, etypes 
> {rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for 
> krbtgt/ipa.ad.example....@ipa.ad.example.com
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down 
> fd 12
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5 
> etypes {18 17 23 24 -135}) 172.19.21.37: ISSUE: authtime 1454716332, etypes 
> {rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for 
> krbtgt/ad.example....@ipa.ad.example.com
> Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down 
> fd 12
> Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5 
> etypes {18 17 23 24 -135}) 172.19.21.37: ISSUE: authtime 1454716332, etypes 
> {rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for 
> cifs/master.ipa.ad.example....@ipa.ad.example.com
> Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info): closing down 
> fd 12
> Feb 05 17:58:47 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5 
> etypes {18 17 23 24 -135}) 172.19.21.37: LOOKING_UP_SERVER: authtime 0,  
> ipa.u...@ipa.ad.example.com for 
> ProtectedStorage/master.ipa.ad.example....@ipa.ad.example.com, Server not 
> found in Kerberos database
> Feb 05 17:58:47 master.ipa.ad.example.com krb5kdc[14081](info): closing down 
> fd 12
> 
> 
> In Windows, I can't find something related.
> 
> Any other suggestion?

Which part of the login is slow? Acquiring ticket with kinit or
establishing the user groups etc? Usually it's the latter, so looking at
sssd logs and checking what takes so long is the best way forward in
most cases. You can also confirm if the group resolution takes a long
time with:
    sss_cache -E; id $aduser@addomain

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to