i have several servers and workstations running the latest version of Wheezy.
Two weeks ago the login-system was changed. We had a ldap-server and the clients used libpam-ldapd. All worked fine.
Now we use a company wide ldap-proxy to an AD domain and the clients use krb5-user, libpam-krb5 and sssd. The console login takes a few seconds longer than before and a ls without -n takes a while because of the high numbers of users/groups on the ldap-proxy. Every thing else works as before, if you are working on a local machine. But if you edit a file on a server with kwrite or kate it has a very slow response. The users have to wait about two seconds until the a action is shown in kwrite or kate. And it doesn't matter, if the you use a Wheezy workstation or a Windows workstation with x-win32 (2014 build 12). Kile has the same Problem and i think the lag is limited to kde apps. Other editors like gedit, emacs and ultra edit don't show lag, even tecplot, a CFD post processing visualize & analysis tool is working.
I have no clue where to look. I know that this is a special setup, but i hope that someone can point me in the right direction.
TIA, Carsten
Code: Select all
root@sim0:~# dpkg -l|grep krb5
ii krb5-config 2.3 all Configuration files for Kerberos Version 5
ii krb5-locales 1.10.1+dfsg-5+deb7u2 all Internationalization support for MIT Kerberos
ii krb5-user 1.10.1+dfsg-5+deb7u2 amd64 Basic programs to authenticate using MIT Kerberos
ii libgssapi-krb5-2:amd64 1.10.1+dfsg-5+deb7u2 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libgssapi-krb5-2:i386 1.10.1+dfsg-5+deb7u2 i386 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.10.1+dfsg-5+deb7u2 amd64 MIT Kerberos runtime libraries
ii libkrb5-3:i386 1.10.1+dfsg-5+deb7u2 i386 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.10.1+dfsg-5+deb7u2 amd64 MIT Kerberos runtime libraries - Support library
ii libkrb5support0:i386 1.10.1+dfsg-5+deb7u2 i386 MIT Kerberos runtime libraries - Support library
ii libpam-krb5:amd64 4.6-1 amd64 PAM module for MIT Kerberos
root@sim0:~# dpkg -l|grep sssd
ii sssd 1.8.4-2 amd64 System Security Services Daemon
root@sim0:~# dpkg -l|grep kwrite
ii kwrite 4:4.8.4-1 amd64 simple graphical text editor
root@sim0:~# dpkg -l|grep kile
ii kile 1:2.1.0-1 amd64 KDE Integrated LaTeX Environment
root@sim0:~# dpkg -l|grep kate
ii kate 4:4.8.4-1 amd64 K Advanced Text Editor
ii kate-data 4:4.8.4-1 all shared data files for kate
ii katepart 4:4.8.4-1 amd64 kate KPart
ii libkate1 0.4.1-1 amd64 Kate is a codec for karaoke and text encapsulation
ii libkateinterfaces4 4:4.8.4-1 amd64 kate plugin interface library
ii libkatepartinterfaces4 4:4.8.4-1 amd64 kate part library
root@sim0:~# cat /etc/debian_version
7.6
root@sim0:~#
Code: Select all
root@sim0:~# cat /etc/krb5.conf
[libdefaults]
default_realm = COMPANY.NET
#krb4_config = /etc/krb.conf
#krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forward = true
forwardable = true
proxiable = true
#allow_weak_crypto = 1
#default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
#default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
#preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
#[realms]
# company.net = {
# kdc = company-dc-05.company.net:88
# admin_server = company-dc-05.company.net:749
# kpasswd_server = company-dc-05.company.net:464
# default_domain = company.net
# }
[logging]
default = SYSLOG:INFO:DAEMON
Code: Select all
root@sim0:~# cat /etc/ldap/ldap.conf
uri ldaps://company-ldap-01.scc.company.net/ ldaps://company-ldap-02.scc.company.net/
base ou=unix,ou=IDM,dc=company,dc=edu
ldap_version 3
#
# hier koennen die Userdaten geaendert werden:
binddn uid=department-ldap,ou=ProxyUser,ou=department,dc=company,dc=edu
bindpw secret
#
#
nss_base_passwd ou=People,ou=unix,ou=IDM,dc=company,dc=edu?sub?uidnumber=*
nss_base_shadow ou=People,ou=unix,ou=IDM,dc=company,dc=edu?sub?uidnumber=*
nss_base_group ou=Groups,ou=unix,ou=IDM,dc=company,dc=edu nss_map_attribute
gecos displayName
ssl yes
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Code: Select all
root@sim0:~# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = company.net
[nss]
#filter_groups = root
#filter_users = root
#reconnection_retries = 3
[pam]
#reconnection_retries = 3
#offline_credentials_expiration = 6
#offline_failed_login_delay = 5
[domain/company.net]
#debug_level = 9
# Using enumerate = true leads to high load and slow response
description = AD over LDAP-ProxyUser
enumerate = false
cache_credentials = true
#entry_cache_timeout = 14400
#account_cache_expiration = 7
#offline_credentials_expiration = 3
#offline_failed_login_attempts = 5
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldaps://company-ldap-01.scc.company.net/, ldaps://company-ldap-02.scc.company.net/
ldap_search_base = ou=unix,ou=department,dc=company,dc=edu
#
# hier können die Userdaten geändert werden:
ldap_default_bind_dn = uid=department-ldap,ou=ProxyUser,ou=department,dc=company,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = secret
#
#
ldap_user_home_directory = homeDirectory
ldap_user_principal = mail
ldap_user_search_base = ou=People,ou=unix,ou=department,dc=company,dc=edu
ldap_user_fullname = displayName
ldap_group_search_base = ou=Groups,ou=unix,ou=department,dc=company,dc=edu
ldap_access_filter = memberOf=CN=DEPARTMENT-user,ou=groups,ou=unix,ou=department,dc=company,dc=edu
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_pwd_policy = none
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
krb5_server = company-DC-04.company.net, company-DC-05.company.net
krb5_realm = company.net
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
krb5_kpasswd = company-dc-04.company.net, company-dc-05.company.net
#krb5_store_password_if_offline = true
#krb5_ccachedir = /var/lib/sss/db/
#krb5_lifetime = 24h