On (01/06/15 15:42), Ivars Strazdiņš wrote:
>Hi,
>how could I possibly trace why there is a noticeable delay when logging into 
>sssd enabled server?
>With ssh there is a 2-3 second delay before users logs in. But most users 
>notice this with webmail, which uses dovecot->pam->sssd as authentication 
>backend.
>Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant.
>Client also running Centos 7.1 with sssd.
>Installation as per IPA handbook. DNS is proper (or so I think :) ).
>Nothing special in logs that I could attribute to this problem except maybe 
>that for each successful login there is a pam_unix failure entry in 
>/var/log/secure log like:
>Jun  1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure; 
>logname= uid=0 euid=0 tty=dovecot ruser=us...@company.com rhost=::1  
>user=us...@company.com
>Jun  1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success; 
>logname= uid=0 euid=0 tty=dovecot ruser=us...@company.com rhost=::1 
>user=us...@company.com
>
>But when user is logged in, “id” command result is instantaneous.
>All machines have selinux enabled, of course.
How many groups does problematic user have?

Some performance degradation caused by semanage.
Here is an upstream ticket
https://fedorahosted.org/sssd/ticket/2624.

It is already fixed in fedora,
but you can test with prerelease of sssd-1.12.5
https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/

HTH

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to