Hi Dan,

I had a problem that login time increased by ~ 15 seconds from F20 -> F21.
That was worked around by adding "selinux_provider = none" to the domain
section in /etc/sssd/sssd.conf

Have you checked that dns lookups + reverse lookups work on the ipa server?
Is "id -G the_user_name" and "is the user_name_name" slow or fast?
Did you check https://fedorahosted.org/sssd/wiki/Troubleshooting +


-- john

2015-04-05 6:10 GMT+02:00 Dan Mossor <danofs...@gmail.com>:

> I've recently deployed a new domain based on 4.1.2 in F21. We've noticed
> an issue and can't quite seem to nail it down. The problem is that logins
> are taking an inordinate amount of time to complete - the fastest logon we
> can get using LDAP credentials is 8 seconds. During our testing, even
> logons to the IPA server itself took over 30 seconds to complete.
>
> I've narrowed this down to sssd, but that is as far as I can get. When
> cranking up debugging for sshd and PAM, I see a minimum 2 second delay
> between ssh handing off the authentication request to sssd and the reply
> back. The only troubleshooting I've done is with ssh, but the area that
> causes the most grief is Apache logins. We configured Apache to use PAM for
> auth through IPA, vice directly calling IPA itself. Logging in to our
> Redmine site takes users a minimum of 34 seconds to complete. Following
> this, a simple webpage containing two hyperlinks and two small thumbnail
> images takes over a minute to load on a gigabit network.
>
> The *only* thing changed in this environment was the IPA server. We moved
> the Redmine from our old network that was using IPA 3.x (F20 branch) to the
> new one. My initial reaction was that it was the VM that was hosting
> Redmine, but we've run these tests against bare metal machines in the same
> network and have the same issue. It appears that sssd is taking a very,
> very long time to talk to FreeIPA - even on the IPA server itself.
>
> However, Kerberos logins into the IPA web GUI are near instantaneous,
> while Username/Password logins take more than a few seconds.
>
> I need to get this solved. My developers don't appreciate the glory days
> of XP taking 5 minutes to log into an IIS 2.1 web server on the local
> network. I don't have the budget to keep them at the coffee pot waiting on
> the network. So, what further information do you need from me to track this
> one down?
>
> Dan
>
> --
> Dan Mossor
> Systems Engineer at Large
> Fedora KDE WG | Fedora QA Team | Fedora Server SIG
> Fedora Infrastructure Apprentice
> FAS: dmossor IRC: danofsatx
> San Antonio, Texas, USA
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to