Hi,
how could I possibly trace why there is a noticeable delay when logging into
sssd enabled server?
With ssh there is a 2-3 second delay before users logs in. But most users
notice this with webmail, which uses dovecot->pam->sssd as authentication
backend.
Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant.
Client also running Centos 7.1 with sssd.
Installation as per IPA handbook. DNS is proper (or so I think :) ).
Nothing special in logs that I could attribute to this problem except maybe
that for each successful login there is a pam_unix failure entry in
/var/log/secure log like:
Jun 1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure;
logname= uid=0 euid=0 tty=dovecot ruser=us...@company.com rhost=::1
user=us...@company.com
Jun 1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success;
logname= uid=0 euid=0 tty=dovecot ruser=us...@company.com rhost=::1
user=us...@company.com
But when user is logged in, “id” command result is instantaneous.
All machines have selinux enabled, of course.
Thanks in advance,
Ivars
sssd.conf file from client:
[domain/company.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = company.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mail.company.com
chpass_provider = ipa
ipa_server = server1.company.com, _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
enumerate = true
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = company.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
