On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: > More soft/anecdotal: > > When executing "sudo -i" or "sudo -iu" the first time, we can expect > a several second delay before the command completes. If we then exit > the session and re-execute the command, it will complete almost > instantly. So whatever cache is holding this information, if we > could increase its duration, that would certainly make our pain > less. Is this a settable value? > > Entering a password into a screensaver is particularly painful. 10+ > seconds before the screensaver will exit. > > We are looking at environmental possibilities, like interfaces and > such. This machine is running on a VMware VM, but we've had success > deploying IPA on VMs in the past, and our faster network is running > VMs as well (with one physical box).
Can you try increasing this option: pam_id_timeout (integer) For any PAM request while SSSD is online, the SSSD will attempt to immediately update the cached identity information for the user in order to ensure that authentication takes place with the latest information. A complete PAM conversation may perform multiple PAM requests, such as account management and session opening. This option controls (on a per-client-application basis) how long (in seconds) we can cache the identity information to avoid excessive round-trips to the identity provider. Default: 5 _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users