Re: [Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts
On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote: Sure: ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879 [become_user] (0x0200): Trying to become user [799001323][799001323]. ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:16:35 2014) [[sssd[krb5_child[9929 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929 [become_user] (0x0200): Trying to become user [799001323][799001323]. ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:17:01 2014) [[sssd[krb5_child[9960 [become_user] (0x0200): Trying to become user [799001323][799001323]. ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:17:30 2014) [[sssd[krb5_child[10018 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:17:34 2014) [[sssd[krb5_child[10018 [become_user] (0x0200): Trying to become user [799001323][799001323]. as you can see the time is spend to validate the ticket. For a user from a trusted domain this includes a request for a cross-realm TGT to a AD server and then a request to an IPA KDC for a service ticket for the local host. With debug_level 9 and higher the libkrb5 tracing is switched on which would in more detail show where the time is lost. It will also show which AD server is contacted. You mentioned in your other mail that with a different client the logins are faster. Are the two clients in the same network segment? Or is there a chance that the other client is nearer to the AD server? bye, Sumit ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts
On Mon, Feb 10, 2014 at 10:55:33AM -0500, Steve Dainard wrote: I've setup RHEL 7 beta IPA with a trust to an AD domain. When I use an AD domain login it takes roughly 9-14 seconds to get to a shell after entering a password. Is there any way to speed this process up? I thought supplemental logins would be quicker, but the login time is the same. This is either via console, or via ssh@localhost or ssh over the network. at a first glace I would say that the delay is in krb5_child. Can you send this log file as well? bye, Sumit IPA realm = miolinux.corp DC domain/forest = miovision.corp ... (Mon Feb 10 10:17:29 2014) [sssd[be[miolinux.corp]]] [write_pipe_handler] (0x0400): All data has been sent! ... *(Mon Feb 10 10:17:35 2014) [sssd[be[miolinux.corp]]] [read_pipe_handler] (0x0400): EOF received, client finished* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts
Sure: (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [main] (0x0400): krb5_child started. (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [unpack_buffer] (0x1000): total buffer size: [125] (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [unpack_buffer] (0x0100): cmd [241] uid [799001323] gid [799001323] validate [true] offline [false] UPN [sdain...@miovision.corp] (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_799001323_zWaW2Z] keytab: [/etc/krb5.keytab] (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [krb5_child_setup] (0x0400): Will perform online auth (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [krb5_child_setup] (0x0100): Not using FAST. (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [get_and_save_tgt] (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879 [become_user] (0x0200): Trying to become user [799001323][799001323]. (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879 [create_ccache_file] (0x0200): Creating ccache at [FILE:/tmp/krb5cc_799001323_zWaW2Z] (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879 [create_ccache_file] (0x1000): Created ccache file: [FILE:/tmp/krb5cc_799001323_zWaW2Z] (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879 [prepare_response_message] (0x0400): Building response for result [0] (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879 [main] (0x0400): krb5_child completed successfully (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [main] (0x0400): krb5_child started. (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [unpack_buffer] (0x1000): total buffer size: [125] (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [unpack_buffer] (0x0100): cmd [241] uid [799001323] gid [799001323] validate [true] offline [false] UPN [sdain...@miovision.corp] (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_799001323_zWaW2Z] keytab: [/etc/krb5.keytab] (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [krb5_child_setup] (0x0400): Will perform online auth (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [krb5_child_setup] (0x0100): Not using FAST. (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [tgt_req_child] (0x1000): Attempting to get a TGT (Mon Feb 10 10:16:34 2014) [[sssd[krb5_child[9929 [get_and_save_tgt] (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:16:35 2014) [[sssd[krb5_child[9929 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929 [become_user] (0x0200): Trying to become user [799001323][799001323]. (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929 [create_ccache_file] (0x0200): Creating ccache at [FILE:/tmp/krb5cc_799001323_zWaW2Z] (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929 [create_ccache_file] (0x1000): Created ccache file: [FILE:/tmp/krb5cc_799001323_zWaW2Z] (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929 [prepare_response_message] (0x0400): Building response for result [0] (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929 [main] (0x0400): krb5_child completed successfully (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960 [main] (0x0400): krb5_child started. (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960 [unpack_buffer] (0x1000): total buffer size: [125] (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960 [unpack_buffer] (0x0100): cmd [241] uid [799001323] gid [799001323] validate [true] offline [false] UPN [sdain...@miovision.corp] (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_799001323_zWaW2Z] keytab: [/etc/krb5.keytab] (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960 [krb5_child_setup] (0x0400): Will perform online auth (Mon Feb 10 10:16:57
