Re: [Freeipa-users] Very slow enrolment process

2016-08-22 Thread Rob Crittenden 

Petr Spacek wrote:

On 22.8.2016 03:42, William Muriithi wrote:

Hello,

I have systems that were previously using openLDAP and plan to migrate
them to freeIPA.  I have a problem I have been struggling with since
Thursday.  The client take 10 to 15 minutes to finish the enrolment
process.

I can't find anything in the logs, have disabled nscd, the DNS and
hostname is set up write and nothing on the message logs point me to
the problem.  Have put se-linux to permissive and done all the basic
checks I can think of.

Its always stalling at this point. What usually happen after the end
of the log below?

---

2016-08-22T01:12:07Z INFO Synchronizing time with KDC...

2016-08-22T01:12:07Z DEBUG Search DNS for SRV record of
_ntp._udp.eng.example.com.

2016-08-22T01:12:07Z DEBUG DNS record found:
DNSResult::name:_ntp._udp.eng.example.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:hydrogen.eng.example.com.}

2016-08-22T01:12:08Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v
hydrogen.eng.example.com

2016-08-22T01:12:08Z DEBUG stdout=

2016-08-22T01:12:08Z DEBUG stderr=

2016-08-22T01:12:08Z DEBUG Writing Kerberos configuration to /tmp/tmpYLpzuV:

2016-08-22T01:12:08Z DEBUG #File modified by ipa-client-install


includedir /var/lib/sss/pubconf/krb5.include.d/


[libdefaults]

   default_realm = ENG.EXAMPLE.COM

   dns_lookup_realm = false

   dns_lookup_kdc = false

   rdns = false

   ticket_lifetime = 24h

   forwardable = yes

   udp_preference_limit = 0



[realms]

   ENG.EXAMPLE.COM = {

 kdc = hydrogen.eng.example.com:88

 master_kdc = hydrogen.eng.example.com:88

 admin_server = hydrogen.eng.example.com:749

 default_domain = eng.example.com

 pkinit_anchors = FILE:/etc/ipa/ca.crt


   }



[domain_realm]

   .eng.example.com = ENG.EXAMPLE.COM

   eng.example.com = ENG.EXAMPLE.COM



This is interesting. This output is printed right before calling ipa-join
command so you should see follow-up line "Starting external process".

Is it somewhere in the file?

I cannot imagine where it could hang between write to the krb5.conf file and
starting ipa-join command...



It potentially does a kinit before calling ipa-join depending on the 
options passed in.


What I'd do is strace the install process. This should tell you what 
it's doing.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Very slow enrolment process

2016-08-21 Thread Petr Spacek 
On 22.8.2016 03:42, William Muriithi wrote:
> Hello,
> 
> I have systems that were previously using openLDAP and plan to migrate
> them to freeIPA.  I have a problem I have been struggling with since
> Thursday.  The client take 10 to 15 minutes to finish the enrolment
> process.
> 
> I can't find anything in the logs, have disabled nscd, the DNS and
> hostname is set up write and nothing on the message logs point me to
> the problem.  Have put se-linux to permissive and done all the basic
> checks I can think of.
> 
> Its always stalling at this point. What usually happen after the end
> of the log below?
> 
> ---
> 
> 2016-08-22T01:12:07Z INFO Synchronizing time with KDC...
> 
> 2016-08-22T01:12:07Z DEBUG Search DNS for SRV record of
> _ntp._udp.eng.example.com.
> 
> 2016-08-22T01:12:07Z DEBUG DNS record found:
> DNSResult::name:_ntp._udp.eng.example.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:hydrogen.eng.example.com.}
> 
> 2016-08-22T01:12:08Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v
> hydrogen.eng.example.com
> 
> 2016-08-22T01:12:08Z DEBUG stdout=
> 
> 2016-08-22T01:12:08Z DEBUG stderr=
> 
> 2016-08-22T01:12:08Z DEBUG Writing Kerberos configuration to /tmp/tmpYLpzuV:
> 
> 2016-08-22T01:12:08Z DEBUG #File modified by ipa-client-install
> 
> 
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> 
> [libdefaults]
> 
>   default_realm = ENG.EXAMPLE.COM
> 
>   dns_lookup_realm = false
> 
>   dns_lookup_kdc = false
> 
>   rdns = false
> 
>   ticket_lifetime = 24h
> 
>   forwardable = yes
> 
>   udp_preference_limit = 0
> 
> 
> 
> [realms]
> 
>   ENG.EXAMPLE.COM = {
> 
> kdc = hydrogen.eng.example.com:88
> 
> master_kdc = hydrogen.eng.example.com:88
> 
> admin_server = hydrogen.eng.example.com:749
> 
> default_domain = eng.example.com
> 
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> 
> 
>   }
> 
> 
> 
> [domain_realm]
> 
>   .eng.example.com = ENG.EXAMPLE.COM
> 
>   eng.example.com = ENG.EXAMPLE.COM


This is interesting. This output is printed right before calling ipa-join
command so you should see follow-up line "Starting external process".

Is it somewhere in the file?

I cannot imagine where it could hang between write to the krb5.conf file and
starting ipa-join command...

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project