On 08/08/2017 08:44 PM, smfre...@gmail.com wrote:
In a few cases recently (again yesterday), we noticed RHEL7.3's "realm join" 
taking more than 5
minutes (which timed out in our cli, and running realm directly worked but took 
~6 minutes when
normally would take a few seconds). As you can see from the verbose output 
below the
two longest stretches (greater than 2 minutes! each) were waiting between 
launching
"net ads join" and piping the password in (and similarly "net ads keytab
create" had a long delay between starting the command and giving it the 
password).
Looking at realmd service/realm-samba-enroll.c e.g. begin_net_process() calling 
out to
realm_command_runv_async it was not obvious why there should be any delay 
between the
launch of the net command the passing of the password (I did see one report of 
"net
ads keytab create" hanging if the keytab already existed but that is not the 
same
problem as this). Any idea how/why such long delays between launching net and 
inputting
the password in realmd async code? > 5 minutes is a long time to do something 
that
usually completes in 10 seconds

2017-08-01 19:54:09 realmd[14197]: * Performing LDAP DSE lookup on: ...
2017-08-01 19:54:09 realmd[14197]: * Successfully discovered ...
2017-08-01 19:54:10 realmd[14197]: * Required files: /usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
2017-08-01 19:54:10 realmd[14197]: * Joining using a manual netbios name: ....
2017-08-01 19:54:10 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U <username> ads join <domain>
2017-08-01 19:56:42 realmd[14197]: Enter <username's> password:
2017-08-01 19:56:42 realmd[14197]: Using short domain name -- <short name>
2017-08-01 19:56:42 realmd[14197]: Joined ... to dns domain ...
2017-08-01 19:56:42 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U <username> ads keytab create
2017-08-01 19:59:33 realmd[14197]: Enter <username's> password:

Any ideas why realmd's async processing (basically passing the password to
the underlying "net ads join" etc.) is doing this?

I would use the method mentioned in the below email thread to add the -d10 argument to the net command and keep all other parameters the same as a typical realm join then analyze the net debug output to see what is taking the longest time.

https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/MQML6NVLRFFGUHZSUF55KOBYEPH74KT5/

Kind regards,
Justin Stephenson

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to