[Beowulf] cluster authentication part II

Tony Brian Albers tba at kb.dk
Mon Jan 15 22:03:56 PST 2018 

On 01/16/2018 12:35 AM, Jörg Saßmannshausen wrote:
> Dear all,
> 
> reading the Cluster Authentication (LDAP,AD) thread which was posted at the
> end of last year reminds me of a problem we are having.
> 
> For our Ubuntu 14 virtual machines we are authenticating against AD and I am
> using the nslcd daemon to do that.
> This is working very well in a shell, i.e. when I am doing this in a shell:
> 
> $ su -l USER
> 
> It is fast, it is creating the home directory if I need it (or not if I want
> to mount the file space elsewhere and use a local home) and the standard lookup
> tools like
> 
> $ getent password USER
> 
> are fast as well.
> 
> However, and here is where I am stuck: when I want to log in to the machine
> using the GUI, this takes forever. We measures it and it takes up to 90 sec.
> until it finally works. I also noticed that it is not reading the
> /etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
> content of the ldap.conf file is identical with the nslcd.conf file. I am using
> TLS and not SSL for the secure connection .
> Furthermore, and here I am not sure whether it is the same problem or a
> different one, if I want to ssh into the Ubuntu VM, this also take a very long
> time (90 sec) until I can do that.
> Strangely enough, our HPC cluster is using nslcd as well (I used that
> nslcd.conf file as a template for the Ubuntu setup), authenticating against the
> same AD and that works instantaneous.
> 
> Does anybody has some ideas of where to look at? It somehow puzzles me.
> I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
> running CentOS and my Debian chroot environment ist Stretch.
> 
> All the best from London
> 
> Jörg
> 
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
> 

Hello Jörg,

This might be caused by latency in hostname lookups. How do the machines 
know one another? DNS is generally fine, but to check I'd try to put the 
client in the server's (AD server that is) hosts file and put the AD 
server and any other machines called during login(maybe for autofs or 
something like that) in the client's hosts file. At least that will tell 
you whether the thing is DNS related.

Also, when ssh'ing in from another machine, try to put both machines' 
fqdn and shortnames in their hosts files.

I know that this might seem odd, since stuff just works when logged in, 
but there's a lot of stuff going on during login that depends on 
hostname resolution if you have external services (AD authentication etc.)

/tony




-- 
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

More information about the Beowulf mailing list