On Mon, Aug 17, 2015 at 09:57:00AM +0200, seli irithyl wrote: > Hi John, Jakub, > > I added "selinux_provider = none" to the sssd.conf (as recommended by john) > and then restarted the service .... and it seems to solve the problem > (almost) !!!
John, thank you very much for suggesting this option. > Logins are near as fast as when using local users. > What are the consequences when I add this line concerning security ? The SELinux usermap set on the IPA server would not be reflected on the IPA client. > Jakub, you're talking about a bug, is there's a patch to remove it or do I > have to wait for an sssd/ipa upgrade ? I don't follow, there is a bug in the code, so yes, it needs to be fixed by SSSD update. The bug was fixed in 6.7 already: https://bugzilla.redhat.com/show_bug.cgi?id=1211728 but in the RHEL-7 stream, it's so far only planned for 7.2: https://bugzilla.redhat.com/show_bug.cgi?id=1210854 Feel free to raise the RHEL-7 bug with RH support if you need it released sooner.. > Maybe I'll try to understand why is it complaining "Could not parse domain > SID from [(null)]" and looking for groups that does not exist in the ldap > database. That's fine, we should probably fix the debug message, but it's expected that IPA users don't have a SID. > Anyway, thanks a lot for your time and help ! > > > seli > > On Sun, Aug 16, 2015 at 6:09 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > > > > On 13 Aug 2015, at 22:57, John Obaterspok <john.obaters...@gmail.com> > > wrote: > > > > > > Hi Seli, > > > > > > In /etc/sssd/sssd.conf add below: > > > selinux_provider=none > > > > Hmm, good idea. I forgot the version OP was using, but yet -- at one point > > we had a bug where the selinux_child would be invoked even if the context > > didn't change which would be slow. We fixed that error since, but chances > > are Seli is still running the affected version. > > > > > to the domain section. Then restart sssd. > > > > > > -- john > > > > > > > > > 2015-08-13 16:23 GMT+02:00 seli irithyl <seli.irit...@gmail.com>: > > > Here's the sssd_domain log part during an ssh > > > > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [be_get_account_info] (0x0200): Got request for [0x3][1][name=test] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > > [cn=accounts,dc=bioinf,dc=local] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Save user > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object test > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Processing user test > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Adding original memberOf attributes to [test]. > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Adding user principal [test@BIOINF.LOCAL] to attributes of > > [test]. > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] [sdap_save_user] > > (0x0400): Storing info for user test > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object test > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > > (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=bioinfo,cn=groups,cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object ipausers > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object bioinfo > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > > [cn=accounts,dc=bioinf,dc=local] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(gidNumber=1713400050)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_nested_group_recv] (0x0400): 0 users found in the hash table > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] > > (0x0400): Processing group test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_process_ghost_members] (0x0400): The group has 0 members > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_process_ghost_members] (0x0400): Group has 0 members > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_group] > > (0x0400): Storing info for group test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_primary_name] (0x0400): Processing object test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > > (0x0400): Processing group test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > > (0x0400): Failed to get group sid > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > > (0x0400): No members for group [test] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:bioinf.local:52e6beb4-158e-11e5-b14d-000af77e6812))][cn=Default > > Trust View,cn=views,cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), > > no errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [acctinfo_callback] > > (0x0100): Request processed. Returned 0,0,Success > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > > (0x0100): Got request with the following data > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): command: PAM_ACCT_MGMT > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): domain: bioinf.local > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): user: test > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): service: sshd > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): tty: ssh > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): ruser: > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): rhost: copper.bioinf.local > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): authtok type: 0 > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): newauthtok type: 0 > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): priv: 1 > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): cli_pid: 44307 > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): logon name: not set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_access_send] > > (0x0400): Performing access check for user [test] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > > [test] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(objectClass=ipaHost)(fqdn=lead.bioinf.local))][cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_x_deref_search_send] (0x0400): Dereferencing entry > > [fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local] using > > OpenLDAP deref > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > > filter][fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_x_deref_parse_entry] (0x0400): Got deref control > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > > control parsed > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > > base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACService)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(objectClass=ipaHBACService)][cn=hbac,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > > base: [cn=hbac,dc=bioinf,dc=local][2][(objectClass=ipaHBACServiceGroup)] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > > [cn=hbac,dc=bioinf,dc=local][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=lead.bioinf.local,cn=computers,cn=accounts,dc=bioinf,dc=local)))][cn=hbac,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > > (0x0200): Category is set to 'all'. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > > (0x0200): Category is set to 'all'. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [hbac_get_category] > > (0x0200): Category is set to 'all'. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > > [allow_all] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) > > [Success] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with > > following parameters: > > [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local] > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=bioinf,dc=local]. > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > errmsg set > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] > > [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [write_pipe_handler] > > (0x0400): All data has been sent! > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [child_sig_handler] > > (0x0100): child [44309] finished successfully. > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [read_pipe_handler] > > (0x0400): EOF received, client finished > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) > > [Success] > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > > [be_pam_handler_callback] (0x0100): Sending result [0][bioinf.local] > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] > > [be_pam_handler_callback] (0x0100): Sent result [0][bioinf.local] > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_req_set_domain] > > (0x0400): Changing request domain from [bioinf.local] to [bioinf.local] > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > > (0x0100): Got request with the following data > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): command: PAM_OPEN_SESSION > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): domain: bioinf.local > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): user: test > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): service: sshd > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): tty: ssh > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): ruser: > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): rhost: copper.bioinf.local > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): authtok type: 0 > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): newauthtok type: 0 > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): priv: 1 > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): cli_pid: 44307 > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [pam_print_data] > > (0x0100): logon name: not set > > > (Thu Aug 13 15:22:34 2015) [sssd[be[bioinf.local]]] [be_pam_handler] > > (0x0100): Sending result [0][bioinf.local] > > > > > > why is there such message : Could not parse domain SID from [(null)] ? I > > thought SID was related to AD ? > > > Is it normal that: > > > some messages seems duplicated ? > > > SELinux user maps were not found ? > > > > > > (Thu Aug 13 15:22:32 2015) [sssd[be[bioinf.local]]] [sdap_save_grpmem] > > (0x0400): No members for group [test] > > > Looking in the UI, the "test" group does not exist > > > Moreover the "trust admins" and "ipausers" dont have GID > > > > > > Thanks for all > > > > > > On Thu, Aug 13, 2015 at 1:05 PM, Jakub Hrozek <jhro...@redhat.com> > > wrote: > > > On Thu, Aug 13, 2015 at 12:12:03PM +0200, seli irithyl wrote: > > > > In the logs, there is lots of warnings concerning pki tomcat server : > > > > > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Started The Apache HTTP > > > > Server. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting > > > > system-pki\x2dtomcatd.slice. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Created slice > > > > system-pki\x2dtomcatd.slice. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat > > Server. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Reached target PKI Tomcat > > > > Server. > > > > Aug 13 09:51:56 lead.bioinf.local systemd[1]: Starting PKI Tomcat > > Server > > > > pki-tomcat... > > > > Aug 13 09:51:57 lead.bioinf.local systemd[1]: Started PKI Tomcat Server > > > > pki-tomcat. > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: Java virtual machine > > used: > > > > /usr/bin/java > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: classpath used: > > > > > > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: main class used: > > > > org.apache.catalina.startup.Bootstrap > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: flags used: > > > > -DRESTEASY_LIB=/usr/share/java/resteasy-base > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: options used: > > > > -Dcatalina.base=/var/lib/pki/pki-tomcat > > -Dcatalina.home=/usr/share/tomcat > > > > -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > > > > > > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > > > > -Djav > > > > Aug 13 09:51:57 lead.bioinf.local server[5213]: arguments used: start > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'enableOCSP' to 'false' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspResponderURL' to 'http://lead.bioinf.local:9080/ca/ocsp' did not > > find > > > > a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not > > find a > > > > matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspCacheSize' to '1000' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspMinCacheEntryDuration' to '60' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ocspTimeout' to '10' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'strictCiphers' to 'true' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'sslOptions' to 'ssl2=true,ssl3=true,tls=true' did not find a matching > > > > property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ssl2Ciphers' to > > > > > > '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'ssl3Ciphers' to > > > > > > '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'tlsCiphers' to > > > > > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TL > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'serverCertNickFile' to > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' > > > > did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not > > find > > > > a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' > > did > > > > not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > > > > property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching > > property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching > > > > property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > > 'sslRangeCiphers' to > > > > > > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SH > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > > 'xmlValidation' to 'false' did not find a matching property. > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:58 AM > > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > > Aug 13 09:51:58 lead.bioinf.local server[5213]: WARNING: > > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > > 'xmlNamespaceAware' to 'false' did not find a matching property. > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.coyote.AbstractProtocol init > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > > ProtocolHandler ["http-bio-8080"] > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.coyote.AbstractProtocol init > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > > ProtocolHandler ["http-bio-8443"] > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Error: SSL cipher > > > > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.coyote.AbstractProtocol init > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initializing > > > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.catalina.startup.Catalina load > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Initialization > > > > processed in 995 ms > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.catalina.core.StandardService startInternal > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting service > > > > Catalina > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.catalina.core.StandardEngine startInternal > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Starting Servlet > > > > Engine: Apache Tomcat/7.0.54 > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: Aug 13, 2015 9:51:59 AM > > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: INFO: Deploying > > > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > > > SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback > > > > Aug 13 09:51:59 lead.bioinf.local server[5213]: > > > > SSLAuthenticatorWithFallback: Setting container > > > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > > > SSLAuthenticatorWithFallback: Initializing authenticators > > > > Aug 13 09:52:01 lead.bioinf.local server[5213]: > > > > SSLAuthenticatorWithFallback: Starting authenticators > > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deployment of > > > > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > > has > > > > finished in 13,391 ms > > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:12 AM > > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > > Aug 13 09:52:12 lead.bioinf.local server[5213]: INFO: Deploying > > > > configuration descriptor > > /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.jasper.EmbeddedServletOptions <init> > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: SEVERE: The scratchDir > > you > > > > specified: /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki is > > unusable. > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.catalina.startup.HostConfig deployDescriptor > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Deployment of > > > > configuration descriptor > > /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has > > > > finished in 2,683 ms > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.coyote.AbstractProtocol start > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > > ProtocolHandler ["http-bio-8080"] > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.coyote.AbstractProtocol start > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > > ProtocolHandler ["http-bio-8443"] > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.coyote.AbstractProtocol start > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Starting > > > > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: Aug 13, 2015 9:52:16 AM > > > > org.apache.catalina.startup.Catalina start > > > > Aug 13 09:52:16 lead.bioinf.local server[5213]: INFO: Server startup in > > > > 17320 ms > > > > > > > > May this be related to my slow login problem ? > > > > > > I don't think so. You really need to look into the sssd domain log, > > > check what requests (getAccountInfo) take the longest. > > > > > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project