Re: [Freeipa-users] IDM/ipa slow login
Hi John, Jakub, I added selinux_provider = none to the sssd.conf (as recommended by john) and then restarted the service and it seems to solve the problem (almost) !!! Logins are near as fast as when using local users. What are the consequences when I add this line concerning security ? Jakub, you're talking about a bug, is there's a patch to remove it or do I have to wait for an sssd/ipa upgrade ? Maybe I'll try to understand why is it complaining Could not parse domain SID from [(null)] and looking for groups that does not exist in the ldap database. Anyway, thanks a lot for your time and help ! seli On Sun, Aug 16, 2015 at 6:09 PM, Jakub Hrozek jhro...@redhat.com wrote: On 13 Aug 2015, at 22:57, John Obaterspok john.obaters...@gmail.com wrote: Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none Hmm, good idea. I forgot the version OP was using, but yet -- at one point we had a bug where the selinux_child would be invoked even if the context didn't change which would be slow. We fixed that error since, but chances are Seli is still running the affected version. to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
Re: [Freeipa-users] IDM/ipa slow login
On Mon, Aug 17, 2015 at 09:57:00AM +0200, seli irithyl wrote: Hi John, Jakub, I added selinux_provider = none to the sssd.conf (as recommended by john) and then restarted the service and it seems to solve the problem (almost) !!! John, thank you very much for suggesting this option. Logins are near as fast as when using local users. What are the consequences when I add this line concerning security ? The SELinux usermap set on the IPA server would not be reflected on the IPA client. Jakub, you're talking about a bug, is there's a patch to remove it or do I have to wait for an sssd/ipa upgrade ? I don't follow, there is a bug in the code, so yes, it needs to be fixed by SSSD update. The bug was fixed in 6.7 already: https://bugzilla.redhat.com/show_bug.cgi?id=1211728 but in the RHEL-7 stream, it's so far only planned for 7.2: https://bugzilla.redhat.com/show_bug.cgi?id=1210854 Feel free to raise the RHEL-7 bug with RH support if you need it released sooner.. Maybe I'll try to understand why is it complaining Could not parse domain SID from [(null)] and looking for groups that does not exist in the ldap database. That's fine, we should probably fix the debug message, but it's expected that IPA users don't have a SID. Anyway, thanks a lot for your time and help ! seli On Sun, Aug 16, 2015 at 6:09 PM, Jakub Hrozek jhro...@redhat.com wrote: On 13 Aug 2015, at 22:57, John Obaterspok john.obaters...@gmail.com wrote: Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none Hmm, good idea. I forgot the version OP was using, but yet -- at one point we had a bug where the selinux_child would be invoked even if the context didn't change which would be slow. We fixed that error since, but chances are Seli is still running the affected version. to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search
Re: [Freeipa-users] IDM/ipa slow login
On 13 Aug 2015, at 22:57, John Obaterspok john.obaters...@gmail.com wrote: Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none Hmm, good idea. I forgot the version OP was using, but yet -- at one point we had a bug where the selinux_child would be invoked even if the context didn't change which would be slow. We fixed that error since, but chances are Seli is still running the affected version. to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)((gidNumber=*)(!(gidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]]
Re: [Freeipa-users] IDM/ipa slow login
In the logs, there is lots of warnings concerning pki tomcat server :
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP
Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting
system-pki\x2dtomcatd.slice.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice
system-pki\x2dtomcatd.slice.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat
Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server
pki-tomcat.
Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used:
/usr/bin/java
Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used:
org.apache.catalina.startup.Bootstrap
Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used:
-DRESTEASY_LIB=/usr/share/java/resteasy-base
Aug 13 09:51:57 lead.bioinf.local server[5213]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djav
Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find
a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a
matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspTimeout' to '10' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching
property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl2Ciphers' to
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
Re: [Freeipa-users] IDM/ipa slow login
On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote:
In the logs, there is lots of warnings concerning pki tomcat server :
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP
Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting
system-pki\x2dtomcatd.slice.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice
system-pki\x2dtomcatd.slice.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat
Server.
Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat Server
pki-tomcat...
Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server
pki-tomcat.
Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine used:
/usr/bin/java
Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used:
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used:
org.apache.catalina.startup.Bootstrap
Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used:
-DRESTEASY_LIB=/usr/share/java/resteasy-base
Aug 13 09:51:57 lead.bioinf.local server[5213]: options used:
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djav
Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not find
a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a
matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspCacheSize' to '1000' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ocspTimeout' to '10' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'strictCiphers' to 'true' did not find a matching property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching
property.
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'ssl2Ciphers' to
'-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL
Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015
Re: [Freeipa-users] IDM/ipa slow login
Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)((gidNumber=*)(!(gidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Processing group test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Thu Aug 13 15:22:32 2015)
Re: [Freeipa-users] IDM/ipa slow login
Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((uid=test)(objectclass=posixAccount)((uidNumber=*)(!(uidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Save user (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Processing user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of [test]. (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] (0x0400): Storing info for user test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object bioinfo (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=bioinf,dc=local] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [((gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)((gidNumber=*)(!(gidNumber=0][cn=accounts,dc=bioinf,dc=local]. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_get_primary_name] (0x0400): Processing object test (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] (0x0400): Processing group test (Thu Aug 13 15:22:32
Re: [Freeipa-users] IDM/ipa slow login
On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote: Hi, I inherited a server (the guy that built it left) running centos 7 and Identity Management (Kerberos, 389DS, ...) with NFS. Everything concerning login (with network accounts) is very slow ( several seconds) I already solved a lot of problems on this server(DNS, NTP, firewall, ...), but I am neither a sysadmin nor a linux guru and I don't know where and what to look for ? Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ... Can you define slow better? Can you estimate how big is your environment? I would start by comparing the time it takes to search the entry in LDAP or kinit with login through GDM or SSH. Then, if the times differ, look into SSSD. Some pointers are here: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
