On (01/06/15 15:42), Ivars Strazdiņš wrote: >Hi, >how could I possibly trace why there is a noticeable delay when logging into >sssd enabled server? >With ssh there is a 2-3 second delay before users logs in. But most users >notice this with webmail, which uses dovecot->pam->sssd as authentication >backend. >Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant. >Client also running Centos 7.1 with sssd. >Installation as per IPA handbook. DNS is proper (or so I think :) ). >Nothing special in logs that I could attribute to this problem except maybe >that for each successful login there is a pam_unix failure entry in >/var/log/secure log like: >Jun 1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure; >logname= uid=0 euid=0 tty=dovecot ruser=us...@company.com rhost=::1 >user=us...@company.com >Jun 1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success; >logname= uid=0 euid=0 tty=dovecot ruser=us...@company.com rhost=::1 >user=us...@company.com > >But when user is logged in, “id” command result is instantaneous. >All machines have selinux enabled, of course. How many groups does problematic user have?
Some performance degradation caused by semanage. Here is an upstream ticket https://fedorahosted.org/sssd/ticket/2624. It is already fixed in fedora, but you can test with prerelease of sssd-1.12.5 https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ HTH LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project