We are experiencing slow logins on all client machines. At present this is only two machines but have experienced the same issue with prior installations. We have migrated the entirety of our ancient OpenLDAP install to FreeIPA. Our environment is:
1 x IPA Server 3 x IPA Replicas All of these have the following specs: Memory: 16GiB CPU: 6 Cores Disk: 64GiB When a client has its cache cleared or it has expired, such as not being logged into overnight, we have seen quite a delay logging in, especially compared to our antiquated OpenLDAP install. In a test this morning the two clients took ~30 seconds for the first login of the day. Once this delay is seen it is not seen again for a while (I haven't timed it at this point). In the logs I see the following: 21k instance of: [sssd[be[example.com]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [[email protected]] 32k instances of: [sssd[be[example.com]]] [sdap_get_primary_name] (0x0400): Processing object user767 151 instances of (the only result for grepping the log for "fail") [sssd[be[example.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid 148 instances of (the only result for grepping the log for "warn"): [sssd[be[example.com]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. These cover multiple users and multiple groups. I can provide logs but a clean log and a single login at log level 6 generated a 7.2 MiB log file. It looks like it's doing some sort of enumeration but I don't know enough to know what exactly is going on. The load on the IPA server and replicas isn't remotely high at any point. We will end up with > 8k machines authenticating to this cluster so ~30 seconds to login to any given machine for jobs is a lot of lost time. ---sssd.conf--- [domain/dug.com] cache_credentials = True debug_level = 6 krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client0001.example.com chpass_provider = ipa ipa_server = _srv_, ipa0001.example.com, ipa0002.example.com, ipa0003.example.com, ipa0004.example.com ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = local-map [sssd] services = nss, sudo, pam, autofs, ssh domains = example.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] ---sssd.conf--- Any help would be appreciated! -- *Mark Potter* Senior Linux Administrator
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
