3

We currently use FreeIPA so support a centralized repository of our SSH Pubkeys which are the only thing allowed to be used for logging in to our servers. We have installed a Centos 7 machine (up to date) with IPA 3.3.3 (from the default repo) and immediately upon install, the webui is excruciatingly slow.

After adding users and hosts, the slowness remains. At times, when using sudo commands (sudo rules are actually on the local machine) ldap timeouts occur. The web gui remains almost unusable.

We decided to try the latest and installed Fedora 2x with ipa 4.0.1. Upon install we noticed the same slowness for the webgui and every other issue matches our previous experience. A couple of us used IPA 3.0 back on Centos 6.5 without issue. We would like to avoid going back that far as surely the solution is to fix something we messed up.

Here is the output of $ KRB5_TRACE=/dev/stderr kinit admin:

auth-1 ~ # KRB5_TRACE=/dev/stderr kinit admin
[5849] 1412384797.188699: Getting initial credentials for admin@JOINSG.NET
[5849] 1412384797.191831: Sending request (161 bytes) to JOINSG.NET
[5849] 1412384797.192393: Sending initial UDP request to dgram 173.234.61.206:88
[5849] 1412384797.196589: Received answer from dgram 173.234.61.206:88
[5849] 1412384797.196894: Response was from master KDC
[5849] 1412384797.197091: Received error from KDC: -1765328359/Additional pre-authentication required
[5849] 1412384797.197213: Processing preauth types: 136, 19, 2, 133
[5849] 1412384797.197329: Selected etype info: etype aes256-cts, salt "&#ceY?Ig]HqA7#-I", params ""
[5849] 1412384797.197383: Received cookie: MIT
Password for admin@JOINSG.NET:
[5849] 1412384838.573302: AS key obtained for encrypted timestamp: aes256-cts/1A3C
[5849] 1412384838.573666: Encrypted timestamp (for 1412384838.572836): plain 301AA011180F32303134313030343031303731385AA105020308BDA4, encrypted 05C477A96F7E882177DD26D12C9A64B1222D531B3035BEA68CBB29C8D45A05DCCDF3516BB62D71CBA5F66BBAA849F32362D67786B348BC74
[5849] 1412384838.573890: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[5849] 1412384838.573942: Produced preauth for next request: 133, 2
[5849] 1412384838.574082: Sending request (254 bytes) to JOINSG.NET
[5849] 1412384838.574423: Sending initial UDP request to dgram 173.234.61.206:88
[5849] 1412384839.577042: Initiating TCP connection to stream 173.234.61.206:88
[5849] 1412384839.577283: Sending TCP request to stream 173.234.61.206:88
[5849] 1412384840.653095: Received answer from dgram 173.234.61.206:88
[5849] 1412384840.653240: Response was from master KDC
[5849] 1412384840.653329: Processing preauth types: 19
[5849] 1412384840.653338: Selected etype info: etype aes256-cts, salt "&#ceY?Ig]HqA7#-I", params ""
[5849] 1412384840.653341: Produced preauth for next request: (empty)
[5849] 1412384840.653349: AS key determined by preauth: aes256-cts/1A3C
[5849] 1412384840.653392: Decrypted AS reply; session key is: aes256-cts/FF5B
[5849] 1412384840.653427: FAST negotiation: available
[5849] 1412384840.653444: Initializing KEYRING:persistent:0:0 with default princ admin@JOINSG.NET
[5849] 1412384840.653479: Removing admin@JOINSG.NET -> krbtgt/JOINSG.NET@JOINSG.NET from KEYRING:persistent:0:0
[5849] 1412384840.653483: Storing admin@JOINSG.NET -> krbtgt/JOINSG.NET@JOINSG.NET in KEYRING:persistent:0:0
[5849] 1412384840.653519: Storing config in KEYRING:persistent:0:0 for krbtgt/JOINSG.NET@JOINSG.NET: fast_avail: yes
[5849] 1412384840.653548: Removing admin@JOINSG.NET -> krb5_ccache_conf_data/fast_avail/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: from KEYRING:persistent:0:0
[5849] 1412384840.653555: Storing admin@JOINSG.NET -> krb5_ccache_conf_data/fast_avail/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: in KEYRING:persistent:0:0
[5849] 1412384840.653576: Storing config in KEYRING:persistent:0:0 for krbtgt/JOINSG.NET@JOINSG.NET: pa_type: 2
[5849] 1412384840.653584: Removing admin@JOINSG.NET -> krb5_ccache_conf_data/pa_type/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: from KEYRING:persistent:0:0
[5849] 1412384840.653588: Storing admin@JOINSG.NET -> krb5_ccache_conf_data/pa_type/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: in KEYRING:persistent:0:0
halfer
  • 19,824
  • 17
  • 99
  • 186
driz
  • 455
  • 3
  • 16
  • It looks like you have issues with DNS name resolution. Unfortunately, without more details it is hard to say what's happening. If you can do $ KRB5_TRACE=/dev/stderr kinit admin and post output here. – abbra Sep 29 '14 at 19:00

0 Answers0