3

我们目前使用 FreeIPA,因此支持我们的 SSH 公钥的集中存储库,这是唯一允许用于登录我们服务器的东西。我们已经安装了带有 IPA 3.3.3(来自默认 repo)的 Centos 7 机器(最新),安装后,webui 非常慢。

添加用户和主机后,缓慢仍然存在。有时,当使用 sudo 命令(sudo 规则实际上在本地机器上)时,会发生 ldap 超时。Web gui 几乎无法使用。

我们决定尝试使用 ipa 4.0.1 安装最新的 Fedora 2x。安装后,我们注意到 webgui 的速度同样缓慢,并且所有其他问题都符合我们之前的经验。我们中的几个人在 Centos 6.5 上使用 IPA 3.0 没有问题。我们想避免回到那样远的地方,因为解决方案肯定是修复我们搞砸的东西。

这是输出$ KRB5_TRACE=/dev/stderr kinit admin

auth-1 ~ # KRB5_TRACE=/dev/stderr kinit admin
[5849] 1412384797.188699: Getting initial credentials for admin@JOINSG.NET
[5849] 1412384797.191831: Sending request (161 bytes) to JOINSG.NET
[5849] 1412384797.192393: Sending initial UDP request to dgram 173.234.61.206:88
[5849] 1412384797.196589: Received answer from dgram 173.234.61.206:88
[5849] 1412384797.196894: Response was from master KDC
[5849] 1412384797.197091: Received error from KDC: -1765328359/Additional pre-authentication required
[5849] 1412384797.197213: Processing preauth types: 136, 19, 2, 133
[5849] 1412384797.197329: Selected etype info: etype aes256-cts, salt "&#ceY?Ig]HqA7#-I", params ""
[5849] 1412384797.197383: Received cookie: MIT
Password for admin@JOINSG.NET:
[5849] 1412384838.573302: AS key obtained for encrypted timestamp: aes256-cts/1A3C
[5849] 1412384838.573666: Encrypted timestamp (for 1412384838.572836): plain 301AA011180F32303134313030343031303731385AA105020308BDA4, encrypted 05C477A96F7E882177DD26D12C9A64B1222D531B3035BEA68CBB29C8D45A05DCCDF3516BB62D71CBA5F66BBAA849F32362D67786B348BC74
[5849] 1412384838.573890: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[5849] 1412384838.573942: Produced preauth for next request: 133, 2
[5849] 1412384838.574082: Sending request (254 bytes) to JOINSG.NET
[5849] 1412384838.574423: Sending initial UDP request to dgram 173.234.61.206:88
[5849] 1412384839.577042: Initiating TCP connection to stream 173.234.61.206:88
[5849] 1412384839.577283: Sending TCP request to stream 173.234.61.206:88
[5849] 1412384840.653095: Received answer from dgram 173.234.61.206:88
[5849] 1412384840.653240: Response was from master KDC
[5849] 1412384840.653329: Processing preauth types: 19
[5849] 1412384840.653338: Selected etype info: etype aes256-cts, salt "&#ceY?Ig]HqA7#-I", params ""
[5849] 1412384840.653341: Produced preauth for next request: (empty)
[5849] 1412384840.653349: AS key determined by preauth: aes256-cts/1A3C
[5849] 1412384840.653392: Decrypted AS reply; session key is: aes256-cts/FF5B
[5849] 1412384840.653427: FAST negotiation: available
[5849] 1412384840.653444: Initializing KEYRING:persistent:0:0 with default princ admin@JOINSG.NET
[5849] 1412384840.653479: Removing admin@JOINSG.NET -> krbtgt/JOINSG.NET@JOINSG.NET from KEYRING:persistent:0:0
[5849] 1412384840.653483: Storing admin@JOINSG.NET -> krbtgt/JOINSG.NET@JOINSG.NET in KEYRING:persistent:0:0
[5849] 1412384840.653519: Storing config in KEYRING:persistent:0:0 for krbtgt/JOINSG.NET@JOINSG.NET: fast_avail: yes
[5849] 1412384840.653548: Removing admin@JOINSG.NET -> krb5_ccache_conf_data/fast_avail/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: from KEYRING:persistent:0:0
[5849] 1412384840.653555: Storing admin@JOINSG.NET -> krb5_ccache_conf_data/fast_avail/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: in KEYRING:persistent:0:0
[5849] 1412384840.653576: Storing config in KEYRING:persistent:0:0 for krbtgt/JOINSG.NET@JOINSG.NET: pa_type: 2
[5849] 1412384840.653584: Removing admin@JOINSG.NET -> krb5_ccache_conf_data/pa_type/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: from KEYRING:persistent:0:0
[5849] 1412384840.653588: Storing admin@JOINSG.NET -> krb5_ccache_conf_data/pa_type/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: in KEYRING:persistent:0:0
4

0 回答 0