Clever Geek Handbook

FreeIPA LDAP ratings, possibly due to kerberos

We are currently using FreeIPA, so we maintain a centralized repository of our SSH Pubkeys that can only be used to log into our servers. We installed a Centos 7 machine (updated) with IPA 3.3.3 (from the default repo) and right after installation, the web is painfully slow.

After adding users and hosts, the slowness remains. Sometimes when using sudo commands (sudo rules are actually on the local machine) ldap timeouts occur. The gui network remains largely unusable.

We decided to try the newest and installed Fedora 2x with ipa 4.0.1. After installation, we noticed the same slowness for webgui and every other issue is consistent with our previous experience. Several of us have used IPA 3.0 on Centos 6.5 without issue. We would like to avoid a refund, as the solution is definitely to fix something we messed up.

Here's the result $ KRB5_TRACE=/dev/stderr kinit admin

:

auth-1 ~ # KRB5_TRACE=/dev/stderr kinit admin
[5849] 1412384797.188699: Getting initial credentials for admin@JOINSG.NET
[5849] 1412384797.191831: Sending request (161 bytes) to JOINSG.NET
[5849] 1412384797.192393: Sending initial UDP request to dgram 173.234.61.206:88
[5849] 1412384797.196589: Received answer from dgram 173.234.61.206:88
[5849] 1412384797.196894: Response was from master KDC
[5849] 1412384797.197091: Received error from KDC: -1765328359/Additional pre-authentication required
[5849] 1412384797.197213: Processing preauth types: 136, 19, 2, 133
[5849] 1412384797.197329: Selected etype info: etype aes256-cts, salt "&#ceY?Ig]HqA7#-I", params ""
[5849] 1412384797.197383: Received cookie: MIT
Password for admin@JOINSG.NET:
[5849] 1412384838.573302: AS key obtained for encrypted timestamp: aes256-cts/1A3C
[5849] 1412384838.573666: Encrypted timestamp (for 1412384838.572836): plain 301AA011180F32303134313030343031303731385AA105020308BDA4, encrypted 05C477A96F7E882177DD26D12C9A64B1222D531B3035BEA68CBB29C8D45A05DCCDF3516BB62D71CBA5F66BBAA849F32362D67786B348BC74
[5849] 1412384838.573890: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[5849] 1412384838.573942: Produced preauth for next request: 133, 2
[5849] 1412384838.574082: Sending request (254 bytes) to JOINSG.NET
[5849] 1412384838.574423: Sending initial UDP request to dgram 173.234.61.206:88
[5849] 1412384839.577042: Initiating TCP connection to stream 173.234.61.206:88
[5849] 1412384839.577283: Sending TCP request to stream 173.234.61.206:88
[5849] 1412384840.653095: Received answer from dgram 173.234.61.206:88
[5849] 1412384840.653240: Response was from master KDC
[5849] 1412384840.653329: Processing preauth types: 19
[5849] 1412384840.653338: Selected etype info: etype aes256-cts, salt "&#ceY?Ig]HqA7#-I", params ""
[5849] 1412384840.653341: Produced preauth for next request: (empty)
[5849] 1412384840.653349: AS key determined by preauth: aes256-cts/1A3C
[5849] 1412384840.653392: Decrypted AS reply; session key is: aes256-cts/FF5B
[5849] 1412384840.653427: FAST negotiation: available
[5849] 1412384840.653444: Initializing KEYRING:persistent:0:0 with default princ admin@JOINSG.NET
[5849] 1412384840.653479: Removing admin@JOINSG.NET -> krbtgt/JOINSG.NET@JOINSG.NET from KEYRING:persistent:0:0
[5849] 1412384840.653483: Storing admin@JOINSG.NET -> krbtgt/JOINSG.NET@JOINSG.NET in KEYRING:persistent:0:0
[5849] 1412384840.653519: Storing config in KEYRING:persistent:0:0 for krbtgt/JOINSG.NET@JOINSG.NET: fast_avail: yes
[5849] 1412384840.653548: Removing admin@JOINSG.NET -> krb5_ccache_conf_data/fast_avail/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: from KEYRING:persistent:0:0
[5849] 1412384840.653555: Storing admin@JOINSG.NET -> krb5_ccache_conf_data/fast_avail/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: in KEYRING:persistent:0:0
[5849] 1412384840.653576: Storing config in KEYRING:persistent:0:0 for krbtgt/JOINSG.NET@JOINSG.NET: pa_type: 2
[5849] 1412384840.653584: Removing admin@JOINSG.NET -> krb5_ccache_conf_data/pa_type/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: from KEYRING:persistent:0:0
[5849] 1412384840.653588: Storing admin@JOINSG.NET -> krb5_ccache_conf_data/pa_type/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: in KEYRING:persistent:0:0
+3


source to share


No one has answered this question yet

Check out similar questions:



More articles:


All Articles