Re: [Freeipa-users] On Load Balancers and Kerberos
On 04/05/2015 11:55 AM, Simo Sorce wrote: I wrote a blog post to clarify a little bit how load balancers and Kerberos interact: https://ssimo.org/blog/id_019.html HTH, Simo. Nice article! Thanks for clarifying it. However the proxy case has also another option that is not mentioned. Proxy can terminate the connection but can use s4u2proxy to connect to real servers. Of cause this would mean that LB can impersonate anyone (which is definitely not good) but most of the solutions in the list except for aliasing have significant security implications so it might make sense to mention this one too. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multihome - single interface?
On 04/05/2015 12:51 PM, Janelle wrote: Hello, Trying to find a way on a multi-homed server to force IPA and its related apps to listen on a specific interface. I can find all kinds of info saying "the services listen on all interfaces by default" so there must be a way? Thank you ~J Sounds familiar. I think there is a ticket open for that. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)
On 04/05/2015 12:10 AM, Dan Mossor wrote: I've recently deployed a new domain based on 4.1.2 in F21. We've noticed an issue and can't quite seem to nail it down. The problem is that logins are taking an inordinate amount of time to complete - the fastest logon we can get using LDAP credentials is 8 seconds. During our testing, even logons to the IPA server itself took over 30 seconds to complete. I've narrowed this down to sssd, but that is as far as I can get. When cranking up debugging for sshd and PAM, I see a minimum 2 second delay between ssh handing off the authentication request to sssd and the reply back. The only troubleshooting I've done is with ssh, but the area that causes the most grief is Apache logins. We configured Apache to use PAM for auth through IPA, vice directly calling IPA itself. Logging in to our Redmine site takes users a minimum of 34 seconds to complete. Following this, a simple webpage containing two hyperlinks and two small thumbnail images takes over a minute to load on a gigabit network. The *only* thing changed in this environment was the IPA server. We moved the Redmine from our old network that was using IPA 3.x (F20 branch) to the new one. My initial reaction was that it was the VM that was hosting Redmine, but we've run these tests against bare metal machines in the same network and have the same issue. It appears that sssd is taking a very, very long time to talk to FreeIPA - even on the IPA server itself. However, Kerberos logins into the IPA web GUI are near instantaneous, while Username/Password logins take more than a few seconds. I need to get this solved. My developers don't appreciate the glory days of XP taking 5 minutes to log into an IIS 2.1 web server on the local network. I don't have the budget to keep them at the coffee pot waiting on the network. So, what further information do you need from me to track this one down? Dan Several tips. Please check your DNS configuration. Such delay is usually caused by the DNS lookups timing out. That means that the servers probably trying to resolve names against an old DNS server that is not around. Look at resolve.conf and make sure only valid DNS servers are there and they are in the proper order. If this does not help please turn on SSSD debug_level to 10, sanitize and send the SSSD domain logs and sssd.conf to the list. More hints can be found here: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] multihome - single interface?
Hello, Trying to find a way on a multi-homed server to force IPA and its related apps to listen on a specific interface. I can find all kinds of info saying "the services listen on all interfaces by default" so there must be a way? Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] On Load Balancers and Kerberos
I wrote a blog post to clarify a little bit how load balancers and Kerberos interact: https://ssimo.org/blog/id_019.html HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)
Am 05.04.2015 um 06:10 schrieb Dan Mossor: > I've recently deployed a new domain based on 4.1.2 in F21. We've noticed > an issue and can't quite seem to nail it down. The problem is that > logins are taking an inordinate amount of time to complete - the fastest > logon we can get using LDAP credentials is 8 seconds. During our > testing, even logons to the IPA server itself took over 30 seconds to > complete. > > I've narrowed this down to sssd, but that is as far as I can get. When > cranking up debugging for sshd and PAM, I see a minimum 2 second delay > between ssh handing off the authentication request to sssd and the reply > back. The only troubleshooting I've done is with ssh, but the area that > causes the most grief is Apache logins. We configured Apache to use PAM > for auth through IPA, vice directly calling IPA itself. Logging in to > our Redmine site takes users a minimum of 34 seconds to complete. > Following this, a simple webpage containing two hyperlinks and two small > thumbnail images takes over a minute to load on a gigabit network. > > The *only* thing changed in this environment was the IPA server. We > moved the Redmine from our old network that was using IPA 3.x (F20 > branch) to the new one. My initial reaction was that it was the VM that > was hosting Redmine, but we've run these tests against bare metal > machines in the same network and have the same issue. It appears that > sssd is taking a very, very long time to talk to FreeIPA - even on the > IPA server itself. > > However, Kerberos logins into the IPA web GUI are near instantaneous, > while Username/Password logins take more than a few seconds. > > I need to get this solved. My developers don't appreciate the glory days > of XP taking 5 minutes to log into an IIS 2.1 web server on the local > network. I don't have the budget to keep them at the coffee pot waiting > on the network. So, what further information do you need from me to > track this one down? > > Dan > Hallo I have a similar issue. On login (graphic systems and ssh) and on the screen saver I have a delay from about 2 secons to 10 seconds. According to my logfile i have the following timeline at login: 0 pam_unix (auth) 3 pam_sss (auth) 3 pam_kwallet (sddm:auth) 4 pam_kwallet (sddm:setcred) 5 pam_unix (session) First collum is the number of seconds after the first action. On myl old server I had a pure kerberos (handmade) system, which reacted almost instandly. Regards Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
