On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote: > I have been slowly rolling out FreeIPA to my systems, trying to track > differences/changes. One of the most noticeable has been a large slow > down in file access times. > > Let me explain as best as I can. I use AIDE to track the file system > (think tripwire) and it runs checks once a day. During these checks it > is scanning (almost) the entire file system and comparing it to a stored > database. On a moderately powered system with ~151k files, an AIDE run > will usually take ~30 minutes. After the system becomes an IPA client > the same run will generally take ~90-120 minutes. Un-install the > ipa-client, back to ~30 minutes for an AIDE run. > > Now clearly a lot of lookups are being done for user names and group > names, and this will have a performance hit that is dependant on the > network. However, the odd thing is that even when running on the IPA > server itself the slowdown is still the same. > > Not sure if this is an IPA problem, an SSSD problem, a bit of both, or > neither, perhaps it is just the way it is, but a slowdown of 3-4x seems > a bit much to me. Clearly the results are not scientific, however, they > have been generally reproducible since I started rolling IPA out. > > As a side note this slowdown has also broken bacula backups, as the > bacula client is scanning the filesystem for change (using accurate > backups) the director times out. > > Any thoughts, or opinions? Workarounds etc? I have checked to make sure > that SSSD caching is enabled, and functional. > > Thanks, > > -Erinn
I am assuming that these are all running as local users. >From the sssd.conf man page in the nss section: filter_users, filter_groups (string) Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain. Default: root Try adding this to your sssd.conf: [nss] filter_groups = root,bacula,aide,otherdaemonuser <-as needed filter_users = root,bacula,aide,otherdaemonuser <- as needed Let me know if that solves your issue. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users