[Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

Thu, 19 Mar 2015 08:16:09 -0700 

I¹m seeing ssh logins for AD users take MUCH longer when using SID mapping
vs. POSIX attributes. Both myself and our AD admin would prefer to use SID
mapping. It appears tied to the group lookup at login. There seem to be
many posts about it, but I haven¹t found anything to help much. sssd pegs
the CPU for the 15 or so seconds the login takes.

Ex w/ SID mapping AD trust:
Mar 19 10:48:25 mid-ipa-vp01 sshd[16198]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.134.49.32  user=gould@test.osuwmc
Mar 19 10:48:28 mid-ipa-vp01 sshd[16198]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.134.49.32 user=gould@test.osuwmc
Mar 19 10:48:34 mid-ipa-vp01 sshd[16198]: Accepted password for
goul09@test.osuwmc from 10.134.49.32 port 56844 ssh2
Mar 19 10:48:38 mid-ipa-vp01 sshd[16198]: pam_unix(sshd:session): session
opened for user goul09@test.osuwmc by (uid=0)


Ex w/ POSIX AD trust
Mar 16 14:27:52 mid-ipa-vp01 sshd[13723]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.134.49.96  user=gould@test.osuwmc
Mar 16 14:27:55 mid-ipa-vp01 sshd[13723]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.134.49.96 user=gould@test.osuwmc
Mar 16 14:28:01 mid-ipa-vp01 sshd[13723]: Accepted password for
gould@test.osuwmc from 10.134.49.96 port 61401 ssh2
Mar 16 14:28:05 mid-ipa-vp01 sshd[13723]: pam_unix(sshd:session): session
opened for user goul09@test.osuwmc by (uid=0)


Exact same sssd.conf file for both configs.

[domain/unix.test.osuwmc]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = unix.test.osuwmc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mid-ipa-vp01.unix.test.osuwmc
chpass_provider = ipa
ipa_server = mid-ipa-vp01.unix.test.osuwmc
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_referrals = false

#[domain/test.osuwmc]

[sssd]
services = nss, sudo, pam, ssh, pac
config_file_version = 2

domains = unix.test.osuwmc
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]








-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to