Am 05.04.2015 um 06:10 schrieb Dan Mossor: > I've recently deployed a new domain based on 4.1.2 in F21. We've noticed > an issue and can't quite seem to nail it down. The problem is that > logins are taking an inordinate amount of time to complete - the fastest > logon we can get using LDAP credentials is 8 seconds. During our > testing, even logons to the IPA server itself took over 30 seconds to > complete. > > I've narrowed this down to sssd, but that is as far as I can get. When > cranking up debugging for sshd and PAM, I see a minimum 2 second delay > between ssh handing off the authentication request to sssd and the reply > back. The only troubleshooting I've done is with ssh, but the area that > causes the most grief is Apache logins. We configured Apache to use PAM > for auth through IPA, vice directly calling IPA itself. Logging in to > our Redmine site takes users a minimum of 34 seconds to complete. > Following this, a simple webpage containing two hyperlinks and two small > thumbnail images takes over a minute to load on a gigabit network. > > The *only* thing changed in this environment was the IPA server. We > moved the Redmine from our old network that was using IPA 3.x (F20 > branch) to the new one. My initial reaction was that it was the VM that > was hosting Redmine, but we've run these tests against bare metal > machines in the same network and have the same issue. It appears that > sssd is taking a very, very long time to talk to FreeIPA - even on the > IPA server itself. > > However, Kerberos logins into the IPA web GUI are near instantaneous, > while Username/Password logins take more than a few seconds. > > I need to get this solved. My developers don't appreciate the glory days > of XP taking 5 minutes to log into an IIS 2.1 web server on the local > network. I don't have the budget to keep them at the coffee pot waiting > on the network. So, what further information do you need from me to > track this one down? > > Dan >
Hallo I have a similar issue. On login (graphic systems and ssh) and on the screen saver I have a delay from about 2 secons to 10 seconds. According to my logfile i have the following timeline at login: 0 pam_unix (auth) 3 pam_sss (auth) 3 pam_kwallet (sddm:auth) 4 pam_kwallet (sddm:setcred) 5 pam_unix (session) First collum is the number of seconds after the first action. On myl old server I had a pure kerberos (handmade) system, which reacted almost instandly. Regards Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
