On 08/08/2017 08:44 PM, [email protected] wrote:
In a few cases recently (again yesterday), we noticed RHEL7.3's "realm join"
taking more than 5
minutes (which timed out in our cli, and running realm directly worked but took
~6 minutes when
normally would take a few seconds). As you can see from the verbose output
below the
two longest stretches (greater than 2 minutes! each) were waiting between
launching
"net ads join" and piping the password in (and similarly "net ads keytab
create" had a long delay between starting the command and giving it the
password).
Looking at realmd service/realm-samba-enroll.c e.g. begin_net_process() calling
out to
realm_command_runv_async it was not obvious why there should be any delay
between the
launch of the net command the passing of the password (I did see one report of
"net
ads keytab create" hanging if the keytab already existed but that is not the
same
problem as this). Any idea how/why such long delays between launching net and
inputting
the password in realmd async code? > 5 minutes is a long time to do something
that
usually completes in 10 seconds
2017-08-01 19:54:09 realmd[14197]: * Performing LDAP DSE lookup on: ...
2017-08-01 19:54:09 realmd[14197]: * Successfully discovered ...
2017-08-01 19:54:10 realmd[14197]: * Required files: /usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
2017-08-01 19:54:10 realmd[14197]: * Joining using a manual netbios name: ....
2017-08-01 19:54:10 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U <username> ads join <domain>
2017-08-01 19:56:42 realmd[14197]: Enter <username's> password:
2017-08-01 19:56:42 realmd[14197]: Using short domain name -- <short name>
2017-08-01 19:56:42 realmd[14197]: Joined ... to dns domain ...
2017-08-01 19:56:42 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U <username> ads keytab create
2017-08-01 19:59:33 realmd[14197]: Enter <username's> password:
Any ideas why realmd's async processing (basically passing the password to
the underlying "net ads join" etc.) is doing this?
I would use the method mentioned in the below email thread to add the
-d10 argument to the net command and keep all other parameters the same
as a typical realm join then analyze the net debug output to see what is
taking the longest time.
https://lists.fedorahosted.org/archives/list/[email protected]/thread/MQML6NVLRFFGUHZSUF55KOBYEPH74KT5/
Kind regards,
Justin Stephenson
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
