All I saw was additional output when I ran the command. On the slower system, there was a one second lag, then a burst of activity, then a one second lag, then completion. I’ll do it again Monday and see what the logs show.
On May 23, 2014, at 2:44 PM, Dmitri Pal <[email protected]> wrote: > On 05/23/2014 10:03 AM, Bret Wortman wrote: >> >> On 05/23/2014 09:53 AM, Mauricio Tavares wrote: >>> >>> >>> >>> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman >>> <[email protected]> wrote: >>> More soft/anecdotal: >>> >>> When executing "sudo -i" or "sudo -iu" the first time, we can expect a >>> several second delay before the command completes. If we then exit the >>> session and re-execute the command, it will complete almost instantly. So >>> whatever cache is holding this information, if we could increase its >>> duration, that would certainly make our pain less. Is this a settable value? >>> >>> Entering a password into a screensaver is particularly painful. 10+ seconds >>> before the screensaver will exit. >>> >>> We are looking at environmental possibilities, like interfaces and such. >>> This machine is running on a VMware VM, but we've had success deploying IPA >>> on VMs in the past, and our faster network is running VMs as well (with one >>> physical box). >>> >>> >>> Bret >>> >>> Did running sudo in debugging mode (SUDOERS_DEBUG 2 in ldap.conf) >>> give you any more clues? >>> >> No. I compared the output on both networks and there's no real difference >> once I accounted for HBAC on one (which produced 2 entries on the slower >> network that got filtered down to 1 user match and 1 host match). But the >> debug output was nearly identical. > > Did you see any gaps in time in the logs that are different? > The flow can be the same but some operations can take longer so there would > be hint to us on what to look for. > >> >>> >>> On 05/23/2014 08:15 AM, Bret Wortman wrote: >>>> Collecting my various threads together under one big issue and adding this >>>> new data point: >>>> >>>> Our web UI on our slow network is exhibiting some strange behavior as well. >>>> >>>> When selecting, for example, the "Users", it can take up to 5 seconds to >>>> fetch 20 out of our 56 entries. >>>> >>>> When switching to "Hosts", it took 4 seconds for the footer to show that >>>> there would be 47 pages in total, then after 10 seconds total, the page >>>> loaded 20 of 939 entries. When I select a host, the previously-selected >>>> host will actually be displayed for upwards of 8-10 seconds (while the >>>> spinning cursor spins near the word Logout) until the host actually loads. >>>> >>>> Is it just me, or does this, plus everything else, start to sound like >>>> LDAP is struggling? >>>> >>>> I ran a test using ldapsearch in authenticated and unauthenticated mode >>>> from my workstation and here's what I found, which may tell us nothing: >>>> >>>> # time ldapsearch -x -H -ldap://zsipa.foo.net >>>> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m2.047s >>>> user 0m0.000s >>>> sys 0m0.001s >>>> # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net >>>> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m2.816s >>>> user 0m0.004s >>>> sys 0m0.002s >>>> >>>> When I did this locally on the ipa master: >>>> >>>> # ssh zsipa.foo.net >>>> # time ldapsearch -Y GSSAPI >>>> base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m0.847s >>>> user 0m0.007s >>>> sys 0m0.006s >>>> # >>>> >>>> >>>> -- >>>> Bret Wortman >>>> <Mail Attachment.png> >>>> http://damascusgrp.com/ >>>> http://about.me/wortmanbret >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
