+Ovirt users mailing list - might find this interesting. Quick background: IPA server with cross-forest trust to Windows domain. Authenticating to Linux clients with domain kerberos credentials.

I'm hosting CentOS 6.5 as an ovirt guest, and have narrowed this ipa client slow login issue down to a backend storage cause. If I enable async writes to NFS the CentOS guest performs as my workstations virtualbox guests (Ubuntu 13.10/Fedora 20) do on login (quick logins).

The client we are investigating is a CentOS 6.5 machine. I've also done the same test on a RHEL 6.5 machine with the same results. I've increased the logging level, log attached. I don't see the DC in the logs anywhere.

I guess from an IPA perspective there is not much to be done, but I wanted to make sure this thread came to some conclusion for future readers. I suppose the only thing to question, is why ipa authentication would have any reliance on disk read/write speed to this extent? Perhaps we are caching something to disk that should be cached in memory?


Steve Dainard 
IT Infrastructure Manager
Miovision | Rethink Traffic

Blog  |  LinkedIn  |  Twitter  |  Facebook
Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.


On Wed, Feb 12, 2014 at 7:02 AM, Sumit Bose <sbose@redhat.com> wrote:
On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote:
> Sure:
>

...

> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879]]]] [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.corp@MIOLINUX.CORP].
> (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879]]]] [become_user]
> (0x0200): Trying to become user [799001323][799001323].

...

> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:16:35 2014) [[sssd[krb5_child[9929]]]] [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.corp@MIOLINUX.CORP].
> (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929]]]] [become_user]
> (0x0200): Trying to become user [799001323][799001323].

...

> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960]]]] [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.corp@MIOLINUX.CORP].
> (Mon Feb 10 10:17:01 2014) [[sssd[krb5_child[9960]]]] [become_user]
> (0x0200): Trying to become user [799001323][799001323].

...

> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:17:30 2014) [[sssd[krb5_child[10018]]]] [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.corp@MIOLINUX.CORP].
> (Mon Feb 10 10:17:34 2014) [[sssd[krb5_child[10018]]]] [become_user]
> (0x0200): Trying to become user [799001323][799001323].

as you can see the time is spend to validate the ticket. For a user from
a trusted domain this includes a request for a cross-realm TGT to a AD
server and then a request to an IPA KDC for a service ticket for the
local host. With debug_level 9 and higher the libkrb5 tracing is
switched on which would in more detail show where the time is lost. It
will also show which AD server is contacted.

You mentioned in your other mail that with a different client the logins
are faster. Are the two clients in the same network segment? Or is there
a chance that the other client is "nearer" to the AD server?

bye,
Sumit