On Tue, Apr 07, 2015 at 01:15:46PM -0500, Dan Mossor wrote:
> On 04/07/2015 03:05 AM, Jakub Hrozek wrote:
> >On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote:
> >>On 04/05/2015 12:51 PM, Dmitri Pal wrote:
> >>>Several tips.
> >>>Please check your DNS configuration.
> >>>Such delay is usually caused by the DNS lookups timing out. That means
> >>>that the servers probably trying to resolve names against an old DNS
> >>>server that is not around. Look at resolve.conf and make sure only valid
> >>>DNS servers are there and they are in the proper order.
> >>>If this does not help please turn on SSSD debug_level to 10, sanitize
> >>>and send the SSSD domain logs and sssd.conf to the list.
> >>>More hints can be found here:
> >>DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and
> >>reverse lookups on the IPA server, the target server, and the client. The
> >>only DNS server configured is the IPA server.
> >>I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I
> >>didn't have time to compare if any different information was caught. If you
> >>still need me to specify log level 10 or some other setting, let me know.
> >>The login that these logs are for took 15.371 seconds (checked via 'time ssh
> >>danofs...@yoda.example.lcl exit'
> >>selinux_child.log: http://fpaste.org/207805/
> >>sssd_sudo.log: http://fpaste.org/207806/
> >>sssd_pac.log: http://fpaste.org/207807/
> >>sssd_pam.log: http://fpaste.org/207808/67775142/
> >>sssd_nss.log: http://fpaste.org/207809/
> >>sssd.log: http://fpaste.org/207810/
> >>sssd_example.lcl.log: http://fpaste.org/207811/36832514/
> >We've recently found a performance problem in the SELinux code. Can you
> >check if setting:
> > selinux_provider = none
> >improves the performance anyhow?
> Adding "selinux_provider = none" to the domain section of
> /etc/sssd/sssd.conf seems to have drastically improved ssh logins. The
> Apache authentications are faster, but we're still hitting a performance
> issue somewhere in that chain. It may be with Apache itself, so stand
> by...but otherwise, I'm calling this fixed.
Not fixed, merely worked around.
Thank you for confirming the problem and the workaround. I do have a WIP
patch, I "just" need to finish testing it.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project