Hi Dan, I had a problem that login time increased by ~ 15 seconds from F20 -> F21. That was worked around by adding "selinux_provider = none" to the domain section in /etc/sssd/sssd.conf
Have you checked that dns lookups + reverse lookups work on the ipa server? Is "id -G the_user_name" and "is the user_name_name" slow or fast? Did you check https://fedorahosted.org/sssd/wiki/Troubleshooting + -- john 2015-04-05 6:10 GMT+02:00 Dan Mossor <[email protected]>: > I've recently deployed a new domain based on 4.1.2 in F21. We've noticed > an issue and can't quite seem to nail it down. The problem is that logins > are taking an inordinate amount of time to complete - the fastest logon we > can get using LDAP credentials is 8 seconds. During our testing, even > logons to the IPA server itself took over 30 seconds to complete. > > I've narrowed this down to sssd, but that is as far as I can get. When > cranking up debugging for sshd and PAM, I see a minimum 2 second delay > between ssh handing off the authentication request to sssd and the reply > back. The only troubleshooting I've done is with ssh, but the area that > causes the most grief is Apache logins. We configured Apache to use PAM for > auth through IPA, vice directly calling IPA itself. Logging in to our > Redmine site takes users a minimum of 34 seconds to complete. Following > this, a simple webpage containing two hyperlinks and two small thumbnail > images takes over a minute to load on a gigabit network. > > The *only* thing changed in this environment was the IPA server. We moved > the Redmine from our old network that was using IPA 3.x (F20 branch) to the > new one. My initial reaction was that it was the VM that was hosting > Redmine, but we've run these tests against bare metal machines in the same > network and have the same issue. It appears that sssd is taking a very, > very long time to talk to FreeIPA - even on the IPA server itself. > > However, Kerberos logins into the IPA web GUI are near instantaneous, > while Username/Password logins take more than a few seconds. > > I need to get this solved. My developers don't appreciate the glory days > of XP taking 5 minutes to log into an IIS 2.1 web server on the local > network. I don't have the budget to keep them at the coffee pot waiting on > the network. So, what further information do you need from me to track this > one down? > > Dan > > -- > Dan Mossor > Systems Engineer at Large > Fedora KDE WG | Fedora QA Team | Fedora Server SIG > Fedora Infrastructure Apprentice > FAS: dmossor IRC: danofsatx > San Antonio, Texas, USA > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
