if I ssh with an ipa user, authentication hangs on "we sent a gssapi-with-mic packet, wait for reply" from 5s to 10s if I ssh with local user, auth is nearly immediate (less than 1s)
>From a client : [test@argon ~]$ time id test uid=1713400050(test) gid=1713400050(test) groups=1713400050(test),1713400004(bioinfo) real 0m2.269s user 0m0.001s sys 0m0.004s [test@argon ~]$ time id test uid=1713400050(test) gid=1713400050(test) groups=1713400050(test),1713400004(bioinfo) real 0m0.005s user 0m0.002s sys 0m0.003s [test@argon ~]$ time ipa user-find test -------------- 1 user matched -------------- User login: test First name: test Last name: user Home directory: /home/test Login shell: /bin/bash Email address: [email protected] UID: 1713400050 GID: 1713400050 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- real 0m1.464s user 0m0.348s sys 0m0.062s Following the guide you sent me: On the server: [root@lead sssd]# systemctl status sssd sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: active (running) since Wed 2015-08-12 16:55:50 CEST; 11min ago Process: 6495 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 6496 (sssd) CGroup: /system.slice/sssd.service ├─6496 /usr/sbin/sssd -D -f ├─6497 /usr/libexec/sssd/sssd_be --domain bioinf.local --uid 0 --gid 0 --debug-to-files ├─6498 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files ├─6499 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files ├─6500 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0 --debug-to-files ├─6501 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files ├─6502 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files └─6503 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files Aug 12 16:55:50 lead.bioinf.local sssd[autofs][6500]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd[pam][6499]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd[sudo][6502]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd[ssh][6501]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd[pac][6503]: Starting up Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 Aug 12 16:55:50 lead.bioinf.local systemd[1]: Started System Security Services Daemon. Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1 Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 2 [root@lead sssd]# more /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files aliases: files [root@lead sssd]# date Wed Aug 12 17:09:50 CEST 2015 [root@lead sssd]# systemctl restart sssd [root@lead sssd]# getent passwd test test:*:1713400050:1713400050:test user:/home/test:/bin/bash sssd_nss.log: (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Wed Aug 12 17:09:56 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Wed Aug 12 17:09:56 2015) [sssd[nss]] [confdb_get_domain_internal] (0x0400): No enumeration for [bioinf.local]! (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7ff00ae60ec0 (Wed Aug 12 17:09:56 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))]. (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x7ff00ae60b00 (Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS) (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for bioinf.local: /var/lib/sss/db/cache_bioinf.local.ldb (Wed Aug 12 17:09:56 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_process_init] (0x0400): Responder Initialization complete (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/root] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'polkitd' matched without domain, user is polkitd (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/polkitd] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'avahi' matched without domain, user is avahi (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/avahi] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'colord' matched without domain, user is colord (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/colord] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'rtkit' matched without domain, user is rtkit (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/rtkit] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'pulse' matched without domain, user is pulse (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/pulse] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'gdm' matched without domain, user is gdm (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/gdm] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'postfix' matched without domain, user is postfix (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/bioinf.local/postfix] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/root] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'polkitd' matched without domain, user is polkitd (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/polkitd] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'avahi' matched without domain, user is avahi (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/avahi] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'colord' matched without domain, user is colord (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/colord] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'rtkit' matched without domain, user is rtkit (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/rtkit] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'pulse' matched without domain, user is pulse (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/pulse] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'gdm' matched without domain, user is gdm (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/gdm] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'postfix' matched without domain, user is postfix (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/bioinf.local/postfix] to negative cache permanently (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /usr/sbin/nologin in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/tcsh in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/csh in /etc/shells (Wed Aug 12 17:09:56 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)]. (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff00a44a670:[email protected]] (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [bioinf.local][] (Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff00a44a670:[email protected]] (Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Aug 12 17:09:56 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Aug 12 17:09:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff00a44a670:[email protected]] (Wed Aug 12 17:10:01 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [root]. (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [<ALL>] (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [root] does not exist in [bioinf.local]! (negative cache) (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [root], fail! (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38] with input [root]. (Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [<ALL>] (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [bioinf.local]! (negative cache) (Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail! (Wed Aug 12 17:10:01 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Aug 12 17:10:02 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [test]. (Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'test' matched without domain, user is test (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [<ALL>] (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [[email protected]] (Wed Aug 12 17:10:02 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [[email protected]] (Wed Aug 12 17:10:02 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! sssd.conf: [sssd] debug_level = 6 config_file_version = 2 services = nss, pam, autofs, ssh, sudo domains = bioinf.local [nss] debug_level = 6 filter_users = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix filter_groups = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] debug_level = 6 [domain/bioinf.local] enumerate = false debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = bioinf.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = lead.bioinf.local chpass_provider = ipa ipa_server = _srv_, lead.bioinf.local ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_lifetime = 1d krb5_renewable_lifetime = 7d krb5_renew_interval = 3600 [ssh] debug_level = 6 [autofs] debug_level = 6 [sudo] On Tue, Aug 11, 2015 at 1:39 PM, Jakub Hrozek <[email protected]> wrote: > On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote: > > Hi, > > > > I inherited a server (the guy that built it left) running centos 7 and > > Identity Management (Kerberos, 389DS, ...) with NFS. > > Everything concerning login (with network accounts) is very slow ( > several > > seconds) > > I already solved a lot of problems on this server(DNS, NTP, firewall, > ...), > > but I am neither a sysadmin nor a linux guru and I don't know where and > > what to look for ? > > Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ... > > Can you define "slow" better? Can you estimate how big is your > environment? > > I would start by comparing the time it takes to search the entry in LDAP > or kinit with login through GDM or SSH. Then, if the times differ, look > into SSSD. Some pointers are here: > https://fedorahosted.org/sssd/wiki/Troubleshooting > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
