Thanks jhrozek, I have already seen it and applied to my IPA server, but it
didn't have any significant impact, at least for AD users. In krb5kdc log, when
I try to login with an IPA user in Windows, I can see the next:
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6
etypes {18 17 23 24 -135 3}) 172.19.21.37: NEEDED_PREAUTH:
ipa.u...@ipa.ad.example.com for krbtgt/ipa.ad.example@ipa.ad.example.com,
Additional pre-authentication required
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd
12
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): AS_REQ (6
etypes {18 17 23 24 -135 3}) 172.19.21.37: ISSUE: authtime 1454716332, etypes
{rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for
krbtgt/ipa.ad.example@ipa.ad.example.com
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd
12
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5
etypes {18 17 23 24 -135}) 172.19.21.37: ISSUE: authtime 1454716332, etypes
{rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for
krbtgt/ad.example@ipa.ad.example.com
Feb 05 17:52:12 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd
12
Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5
etypes {18 17 23 24 -135}) 172.19.21.37: ISSUE: authtime 1454716332, etypes
{rep=18 tkt=18 ses=18}, ipa.u...@ipa.ad.example.com for
cifs/master.ipa.ad.example@ipa.ad.example.com
Feb 05 17:58:45 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd
12
Feb 05 17:58:47 master.ipa.ad.example.com krb5kdc[14081](info): TGS_REQ (5
etypes {18 17 23 24 -135}) 172.19.21.37: LOOKING_UP_SERVER: authtime 0,
ipa.u...@ipa.ad.example.com for
ProtectedStorage/master.ipa.ad.example@ipa.ad.example.com, Server not found
in Kerberos database
Feb 05 17:58:47 master.ipa.ad.example.com krb5kdc[14081](info): closing down fd
12
In Windows, I can't find something related.
Any other suggestion?
> Date: Fri, 5 Feb 2016 09:33:25 +0100
> From: jhro...@redhat.com
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA-AD Login
>
> On Thu, Feb 04, 2016 at 01:15:17PM -0600, Alan P wrote:
> > Hi,
> >
> > I just configured a trust between an IPA and an Active Directory to
> > authenticate IPA users in Windows machines joined in AD domain. The login
> > is successfull, but only after several minutes (nearly 25 minutes) in the
> > first attempt; in the next attempts, the required time goes from 5 to 10
> > min. So, what can I do to reduce the time to something more acceptable?
> > (For reference, when an AD user authenticates it only takes 10 seconds or
> > less).
> >
> > My environment is:
> >
> > IPA server 4.2.0-15 in a RHEL 7.2
> > IPA domain is a subdomain of AD (like ad.example.com and ipa.ad.example.com)
> > There are, right now, a few users but is planed to manage more than 10,000
> > The trust was configured as "two way"
> >
> > AD is in a Windows Server 2012
> > It has the root domain
> > I made a domain delegation, so AD is authoritative for ad.example.com and
> > IPA, for ipa.ad.example.com
> > All windows client machines are joined here
> > There are a few users, but they are only for test purposes
> >
> > The authentication in a windows client is:
> > user: IPA.AD.EXAMPLE.COM\ipa.user
> > pass: ipa user pass
> >
> > >From IPA console I can make kinit user...@ad.example.com with no problem.
>
> Please see:
>
> https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
>
> We're working on sssd performance fixes for the next version (1.14, will
> be in RHEL-7.3)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
