On Tue, Apr 07, 2015 at 01:15:46PM -0500, Dan Mossor wrote: > On 04/07/2015 03:05 AM, Jakub Hrozek wrote: > >On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote: > >>On 04/05/2015 12:51 PM, Dmitri Pal wrote: > >>>Several tips. > >>>Please check your DNS configuration. > >>>Such delay is usually caused by the DNS lookups timing out. That means > >>>that the servers probably trying to resolve names against an old DNS > >>>server that is not around. Look at resolve.conf and make sure only valid > >>>DNS servers are there and they are in the proper order. > >>> > >>>If this does not help please turn on SSSD debug_level to 10, sanitize > >>>and send the SSSD domain logs and sssd.conf to the list. > >>>More hints can be found here: > >>>https://fedorahosted.org/sssd/wiki/Troubleshooting > >>> > >>DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and > >>reverse lookups on the IPA server, the target server, and the client. The > >>only DNS server configured is the IPA server. > >> > >>I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I > >>didn't have time to compare if any different information was caught. If you > >>still need me to specify log level 10 or some other setting, let me know. > >>The login that these logs are for took 15.371 seconds (checked via 'time ssh > >>danofs...@yoda.example.lcl exit' > >> > >>selinux_child.log: http://fpaste.org/207805/ > >>sssd_sudo.log: http://fpaste.org/207806/ > >>sssd_pac.log: http://fpaste.org/207807/ > >>sssd_pam.log: http://fpaste.org/207808/67775142/ > >>sssd_nss.log: http://fpaste.org/207809/ > >>sssd.log: http://fpaste.org/207810/ > >>sssd_example.lcl.log: http://fpaste.org/207811/36832514/ > > > >We've recently found a performance problem in the SELinux code. Can you > >check if setting: > > selinux_provider = none > >improves the performance anyhow? > > > > Adding "selinux_provider = none" to the domain section of > /etc/sssd/sssd.conf seems to have drastically improved ssh logins. The > Apache authentications are faster, but we're still hitting a performance > issue somewhere in that chain. It may be with Apache itself, so stand > by...but otherwise, I'm calling this fixed.
Not fixed, merely worked around. > > Thanks! Thank you for confirming the problem and the workaround. I do have a WIP patch, I "just" need to finish testing it. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project