Re: [Freeipa-users] Very slow enrolment process

Mon, 22 Aug 2016 07:53:17 -0700 

Petr Spacek wrote:

On 22.8.2016 03:42, William Muriithi wrote:

Hello,

I have systems that were previously using openLDAP and plan to migrate
them to freeIPA.  I have a problem I have been struggling with since
Thursday.  The client take 10 to 15 minutes to finish the enrolment
process.

I can't find anything in the logs, have disabled nscd, the DNS and
hostname is set up write and nothing on the message logs point me to
the problem.  Have put se-linux to permissive and done all the basic
checks I can think of.

Its always stalling at this point. What usually happen after the end
of the log below?

---

2016-08-22T01:12:07Z INFO Synchronizing time with KDC...

2016-08-22T01:12:07Z DEBUG Search DNS for SRV record of
_ntp._udp.eng.example.com.

2016-08-22T01:12:07Z DEBUG DNS record found:
DNSResult::name:_ntp._udp.eng.example.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:hydrogen.eng.example.com.}

2016-08-22T01:12:08Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v
hydrogen.eng.example.com

2016-08-22T01:12:08Z DEBUG stdout=

2016-08-22T01:12:08Z DEBUG stderr=

2016-08-22T01:12:08Z DEBUG Writing Kerberos configuration to /tmp/tmpYLpzuV:

2016-08-22T01:12:08Z DEBUG #File modified by ipa-client-install


includedir /var/lib/sss/pubconf/krb5.include.d/


[libdefaults]

   default_realm = ENG.EXAMPLE.COM

   dns_lookup_realm = false

   dns_lookup_kdc = false

   rdns = false

   ticket_lifetime = 24h

   forwardable = yes

   udp_preference_limit = 0



[realms]

   ENG.EXAMPLE.COM = {

     kdc = hydrogen.eng.example.com:88

     master_kdc = hydrogen.eng.example.com:88

     admin_server = hydrogen.eng.example.com:749

     default_domain = eng.example.com

     pkinit_anchors = FILE:/etc/ipa/ca.crt


   }



[domain_realm]

   .eng.example.com = ENG.EXAMPLE.COM

   eng.example.com = ENG.EXAMPLE.COM



This is interesting. This output is printed right before calling ipa-join
command so you should see follow-up line "Starting external process".

Is it somewhere in the file?

I cannot imagine where it could hang between write to the krb5.conf file and
starting ipa-join command...
It potentially does a kinit before calling ipa-join depending on the options passed in.
What I'd do is strace the install process. This should tell you what it's doing. 

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to