Thanks Jakub for the detailed analysis... with those inputs , I was able to
nail down the issue.
I had migrated this host from openldap to freeipa.. However, nslcd daemon
was still running and the sylog pointed me to the error "unable to contact
the earlier openldap server" and it spent some time there...
So, I stopped nslcd and now logins have improved drastically to around 5s
date;ssh testuser@localhost
Sat Jul 30 08:09:13 UTC 2016
testuser@localhost's password:
Last login: Sat Jul 30 08:08:55 2016 from 127.0.0.1
[p-rakeshpillai@prod1-admintools-1c :~] date
Sat Jul 30 08:09:18 UTC 2016
For the ipa_hostname entry in sssd.conf, that gets auto populated entered
everytime I run ipa-client-install .
I run the below command to setup ipa client
ipa-client-install --domain=xyz.xom --server=ipa-master-int.xyz.xom
--realm=xyz.xom -p admin --password=mypass--mkhomedir --hostname=10.65.16.4
--no-ssh --no-sshd -N -f -U
Notice that, In the hostname argument, I am passing the IP address. Hope
thats fine, its actually working fine on around 2000+ servers in my
environment.
I had earlier tried with servername.domain ( qa-test1.yyz.com as the
hostname ) and my servers hostname would get changed to qa-test1.yyz.com .
However, we do our deployments on glassfish and glassfish somehow started
having issue everytime we restart glassfish ( not an expert with glassfish
) so not sure whats wrong there.
With this approach , my hostname is now my ipaddress and things are
working fine both at galssfish and IPA side.
But just want to confirm its ok to do that
Thanks,
Rakesh
On Fri, Jul 29, 2016 at 5:10 PM, Jakub Hrozek wrote:
> On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote:
> > > Any change that it's running on a VM? If so, check your entropy:
> >
> > > cat /proc/sys/kernel/random/entropy_avail
> >
> > > If it's low (like < 1k), install haveged.
> >
> > this indeed is vm , am running it on azure . However, I have a similar
> set
> > up running on aws which works completely fine
>
> Sorry about the delay in replying..
>
> >
> > The entropy was low, around 180, I installed haveged and now its above 3k
> > cat /proc/sys/kernel/random/entropy_avail
> > 3178
> >
> > The timing though is still the same around 19s
>
> I have some comments inline about the config and logs.
>
> >
> > @jakub, i am reattaching the logs.
> >
> > The dns resoltion seems fast when I check using dig
> >
> > below is my sssd.conf
> > [domain/xyz.com]
> > selinux_provider=none
> > krb5_auth_timeout = 20
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = xyz.com
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > ipa_hostname = 10.65.16.4
>
> The ipa_hostname value is wrong. It's meant for systems where hostname
> reports a different name that what is the name the host is registered as
> in IPA. Including an IP address there doesn't make much sense.
>
> > chpass_provider = ipa
> > ipa_server = ipa-master-in.xyz.com
> > dns_discovery_domain = xyz.com
> > ignore_group_members=True
> > ldap_purge_cache_timeout = 0
> > debug_level=8
> > [sssd]
> > services = nss, sudo, pam, ssh
> > config_file_version = 2
> >
> > domains = xyz.com
> > [nss]
> > homedir_substring = /home
> >
> > [pam]
> > pam_id_timeout = 3
> >
> > [sudo]
> >
> > [autofs]
> >
> > [ssh]
> >
> > [pac]
> >
> > [ifp]
> >
> >
> >
> > And here is the login times and logs
> >
> > [root@ipa-client-1 :~] date;ssh testuser@localhost
> > Tue Jul 26 12:06:37 UTC 2016
> > testuser@localhost's password:
> > Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1
> > [testuser@ipa-client-1 :~] date
> > Tue Jul 26 12:06:55 UTC 2016
> >
> >
> > sssd_domain logs
> >
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler]
> > (0x2000): Received SBUS method
> > org.freedesktop.sssd.dataprovider.getAccountInfo on path
> > /org/freedesktop/sssd/dataprovider
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send]
> > (0x2000): Not a sysbus message, quit
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x3][1][name=testuser]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain]
> > (0x0400): Changing request domain from [xyz.com] to [xyz.com]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> [sdap_get_initgr_next_base]
> > (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com]
>
> --> A request for user's groups arrived.
>
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server]
> > (0x2000): Searching 10.65.16.4
> > (Tue Jul 26 12:06:40 2016) [sssd[be[
