The problem in this particular case was made worse by a lot of network latency, but even on network segments local to the ipa masters, it's taking seconds to authenticate. This will help out the local accounts, at least. Now to keep working on those that aren't local.
Thanks for that tip, Simo! On 05/22/2014 01:15 PM, Simo Sorce wrote:
On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote:Ahhhh. Then it's probably not the source of my performance problem. I know when I shut down SSSD, that user's ssh times speed up incredibly.This makes me think it *is* initgroups, as it normally will hit sssd even for non-sssd owned users. But the issue here clearly is that sssd is slow for you, bad network ? Simo.Bret On 05/22/2014 01:06 PM, Simo Sorce wrote:On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:If this line is in /etc/nsswitch.conf: passwd: files sss Why would the user account from IPA get used when an identical one exists in /etc/passwd? We can tell because of some additional groups granted when authentication comes from IPA. If I shut down sssd, then login proceeds through /etc/passwd as expected, but as soon as I restart sssd, this behavior starts again. It's almost as if nsswitch.conf is being ignored or read right-to-left. Just another oddity I uncovered on one system as I was troubleshooting a particularly long "ssh localhost" and trying to rule things out.The initgroups call (done at authentication to find what groups a user is member of) by default traverses all databases, so if the same username is found in multiple databases the groups are added as well. There is actually a way to change this behavior, although it usually causes more issue than it resolves. You could try with: initgroups: files sss Simo.
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users