FreeIPA LDAP超时可能是由于kerberos造成的

Question

我们目前使用FreeIPA，因此支持SSH Pubkeys的集中存储库，这是唯一可以用于登录我们服务器的东西。我们安装了一台Centos 7机器（最新版）和IPA 3.3.3（来自默认仓库），并且在安装后，webui的速度非常慢。

添加用户和主机后，速度仍然缓慢。有时，当使用sudo命令（sudo规则实际上在本地机器上）时会发生ldap超时。网络gui几乎无法使用。

我们决定尝试使用ipa 4.0.1安装最新的Fedora 2x。安装后，我们注意到webgui的速度相同，其他所有问题都符合我们以前的经验。我们几个人在Centos 6.5上使用IPA 3.0而没有问题。我们希望避免回到目前为止，确定解决方案是修复我们搞砸了的东西。

以下是$ KRB5_TRACE=/dev/stderr kinit admin的输出：

auth-1 ~ # KRB5_TRACE=/dev/stderr kinit admin
[5849] 1412384797.188699: Getting initial credentials for admin@JOINSG.NET
[5849] 1412384797.191831: Sending request (161 bytes) to JOINSG.NET
[5849] 1412384797.192393: Sending initial UDP request to dgram 173.234.61.206:88
[5849] 1412384797.196589: Received answer from dgram 173.234.61.206:88
[5849] 1412384797.196894: Response was from master KDC
[5849] 1412384797.197091: Received error from KDC: -1765328359/Additional pre-authentication required
[5849] 1412384797.197213: Processing preauth types: 136, 19, 2, 133
[5849] 1412384797.197329: Selected etype info: etype aes256-cts, salt "&#ceY?Ig]HqA7#-I", params ""
[5849] 1412384797.197383: Received cookie: MIT
Password for admin@JOINSG.NET:
[5849] 1412384838.573302: AS key obtained for encrypted timestamp: aes256-cts/1A3C
[5849] 1412384838.573666: Encrypted timestamp (for 1412384838.572836): plain 301AA011180F32303134313030343031303731385AA105020308BDA4, encrypted 05C477A96F7E882177DD26D12C9A64B1222D531B3035BEA68CBB29C8D45A05DCCDF3516BB62D71CBA5F66BBAA849F32362D67786B348BC74
[5849] 1412384838.573890: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[5849] 1412384838.573942: Produced preauth for next request: 133, 2
[5849] 1412384838.574082: Sending request (254 bytes) to JOINSG.NET
[5849] 1412384838.574423: Sending initial UDP request to dgram 173.234.61.206:88
[5849] 1412384839.577042: Initiating TCP connection to stream 173.234.61.206:88
[5849] 1412384839.577283: Sending TCP request to stream 173.234.61.206:88
[5849] 1412384840.653095: Received answer from dgram 173.234.61.206:88
[5849] 1412384840.653240: Response was from master KDC
[5849] 1412384840.653329: Processing preauth types: 19
[5849] 1412384840.653338: Selected etype info: etype aes256-cts, salt "&#ceY?Ig]HqA7#-I", params ""
[5849] 1412384840.653341: Produced preauth for next request: (empty)
[5849] 1412384840.653349: AS key determined by preauth: aes256-cts/1A3C
[5849] 1412384840.653392: Decrypted AS reply; session key is: aes256-cts/FF5B
[5849] 1412384840.653427: FAST negotiation: available
[5849] 1412384840.653444: Initializing KEYRING:persistent:0:0 with default princ admin@JOINSG.NET
[5849] 1412384840.653479: Removing admin@JOINSG.NET -> krbtgt/JOINSG.NET@JOINSG.NET from KEYRING:persistent:0:0
[5849] 1412384840.653483: Storing admin@JOINSG.NET -> krbtgt/JOINSG.NET@JOINSG.NET in KEYRING:persistent:0:0
[5849] 1412384840.653519: Storing config in KEYRING:persistent:0:0 for krbtgt/JOINSG.NET@JOINSG.NET: fast_avail: yes
[5849] 1412384840.653548: Removing admin@JOINSG.NET -> krb5_ccache_conf_data/fast_avail/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: from KEYRING:persistent:0:0
[5849] 1412384840.653555: Storing admin@JOINSG.NET -> krb5_ccache_conf_data/fast_avail/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: in KEYRING:persistent:0:0
[5849] 1412384840.653576: Storing config in KEYRING:persistent:0:0 for krbtgt/JOINSG.NET@JOINSG.NET: pa_type: 2
[5849] 1412384840.653584: Removing admin@JOINSG.NET -> krb5_ccache_conf_data/pa_type/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: from KEYRING:persistent:0:0
[5849] 1412384840.653588: Storing admin@JOINSG.NET -> krb5_ccache_conf_data/pa_type/krbtgt\/JOINSG.NET\@JOINSG.NET@X-CACHECONF: in KEYRING:persistent:0:0