I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps.

By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this:

[domain/foo.net]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = foo.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rm266ws-a.foo.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63
ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = foo.net
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

On the other hand, if you meant something else, then I hope the answer's in the file. ;-)


On 05/22/2014 10:15 AM, Dmitri Pal wrote:
On 05/22/2014 09:43 AM, Bret Wortman wrote:
What we're seeing is slow GDM logins, ssh authentications, and "sudo -i" responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so.


Have you compared sssd.conf from clients in these two networks?
Do you use enumeration?

Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are.


On 05/22/2014 09:36 AM, Rob Crittenden wrote:
Bret Wortman wrote:
Where should my clients be getting the contents of /etc/openldap/certs from?

I've got one network where my IPA authentications are blazing fast and
one where they're ... not. On the slower one, clients'
/etc/openldap/certs directories are either missing or empty; on the
faster network, clients have certs in these directories.

Is this important, and if so what could be going wrong on my slower
network that might cause the certs to not get distributed or created
properly?
These are not the droids you are looking for...

Can you clarify what you mean by IPA authentications? sssd should be
handling that, and while a first auth over a slow link might be slow
subsequent usage should be quite fast.

rob




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to