On Mon, Jun 01, 2015 at 03:42:53PM +0100, Ivars Strazdiņš wrote:
> Hi,
> how could I possibly trace why there is a noticeable delay when logging into 
> sssd enabled server?

Using SSSD logs:

> With ssh there is a 2-3 second delay before users logs in. But most users 
> notice this with webmail, which uses dovecot->pam->sssd as authentication 
> backend.
> Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant.
> Client also running Centos 7.1 with sssd.
> Installation as per IPA handbook. DNS is proper (or so I think :) ).
> Nothing special in logs that I could attribute to this problem except maybe 
> that for each successful login there is a pam_unix failure entry in 
> /var/log/secure log like:
> Jun  1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure; 
> logname= uid=0 euid=0 tty=dovecot ruser=us...@company.com rhost=::1  
> user=us...@company.com
> Jun  1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success; 
> logname= uid=0 euid=0 tty=dovecot ruser=us...@company.com rhost=::1 
> user=us...@company.com
> But when user is logged in, “id” command result is instantaneous.

The behaviour of id from command line and during login is different.
During login, we always ignore the cache to make sure the group
membership is correct, because in Linux, group membership is only set
during login.

This RFE might be of interest to you:

We plan on more performance enhancements in the next (1.14) planned

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to