On 08/08/2017 08:44 PM, smfrench(a)gmail.com wrote:
In a few cases recently (again yesterday), we noticed RHEL7.3's
"realm join" taking more than 5
minutes (which timed out in our cli, and running realm directly worked but took ~6
normally would take a few seconds). As you can see from the verbose output below the
two longest stretches (greater than 2 minutes! each) were waiting between launching
"net ads join" and piping the password in (and similarly "net ads keytab
create" had a long delay between starting the command and giving it the password).
Looking at realmd service/realm-samba-enroll.c e.g. begin_net_process() calling out to
realm_command_runv_async it was not obvious why there should be any delay between the
launch of the net command the passing of the password (I did see one report of "net
ads keytab create" hanging if the keytab already existed but that is not the same
problem as this). Any idea how/why such long delays between launching net and inputting
the password in realmd async code? > 5 minutes is a long time to do something that
usually completes in 10 seconds
2017-08-01 19:54:09 realmd: * Performing LDAP DSE lookup on: ...
2017-08-01 19:54:09 realmd: * Successfully discovered ...
2017-08-01 19:54:10 realmd: * Required files: /usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
2017-08-01 19:54:10 realmd: * Joining using a manual netbios name: ....
2017-08-01 19:54:10 realmd: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U <username> ads join <domain>
2017-08-01 19:56:42 realmd: Enter <username's> password:
2017-08-01 19:56:42 realmd: Using short domain name -- <short name>
2017-08-01 19:56:42 realmd: Joined ... to dns domain ...
2017-08-01 19:56:42 realmd: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U <username> ads keytab create
2017-08-01 19:59:33 realmd: Enter <username's> password:
Any ideas why realmd's async processing (basically passing the password to
the underlying "net ads join" etc.) is doing this?
I would use the method mentioned in the below email thread to add the
-d10 argument to the net command and keep all other parameters the same
as a typical realm join then analyze the net debug output to see what is
taking the longest time.
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org