Am 05.04.2015 um 06:10 schrieb Dan Mossor:
> I've recently deployed a new domain based on 4.1.2 in F21. We've noticed
> an issue and can't quite seem to nail it down. The problem is that
> logins are taking an inordinate amount of time to complete - the fastest
> logon we can get using LDAP credentials is 8 seconds. During our
> testing, even logons to the IPA server itself took over 30 seconds to
> complete.
> I've narrowed this down to sssd, but that is as far as I can get. When
> cranking up debugging for sshd and PAM, I see a minimum 2 second delay
> between ssh handing off the authentication request to sssd and the reply
> back. The only troubleshooting I've done is with ssh, but the area that
> causes the most grief is Apache logins. We configured Apache to use PAM
> for auth through IPA, vice directly calling IPA itself. Logging in to
> our Redmine site takes users a minimum of 34 seconds to complete.
> Following this, a simple webpage containing two hyperlinks and two small
> thumbnail images takes over a minute to load on a gigabit network.
> The *only* thing changed in this environment was the IPA server. We
> moved the Redmine from our old network that was using IPA 3.x (F20
> branch) to the new one. My initial reaction was that it was the VM that
> was hosting Redmine, but we've run these tests against bare metal
> machines in the same network and have the same issue. It appears that
> sssd is taking a very, very long time to talk to FreeIPA - even on the
> IPA server itself.
> However, Kerberos logins into the IPA web GUI are near instantaneous,
> while Username/Password logins take more than a few seconds.
> I need to get this solved. My developers don't appreciate the glory days
> of XP taking 5 minutes to log into an IIS 2.1 web server on the local
> network. I don't have the budget to keep them at the coffee pot waiting
> on the network. So, what further information do you need from me to
> track this one down?
> Dan


I have a similar issue. On login (graphic systems and ssh) and on the
screen saver I have a delay from about 2 secons to 10 seconds.

According to my logfile i have the following timeline at login:

0       pam_unix (auth)
3       pam_sss (auth)
3       pam_kwallet (sddm:auth)
4       pam_kwallet (sddm:setcred)
5       pam_unix (session)

First collum is the number of seconds after the first action. On myl old
server I had a pure kerberos (handmade) system, which reacted almost


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to