All, I have an IPA 4.1 installation that works perfectly. We just suffer from slow logins ( this is also slow in other operations such invoking SUDO )
IPA user: 1st. login: 30 seconds 2nd login: 8 seconds 3rd login: 6.5 seconds 4rth login: 20 seconds Local user: Consistently under 2 seconds In SSH have tried: Setting UseDNS to no Setting GSSAPIAuthentication to no I have tried various things that would work on an slow SSH, with no effect. In fact, local users have no problem. DNS both forward and reverse works well, works fast and gives consistent results. That is no the issue. While trying to find out more about the issue, I see that after the client has connected, it spends most of the time here: [...] debug2: input_userauth_pk_ok: fp e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx debug3: sign_and_send_pubkey: RSA e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx debug1: Authentication succeeded (publickey). [...] At first I though it might be the key retrival from the IPA service, but it is actually quite fast: time /usr/bin/sss_ssh_authorizedkeys testuser real 0m0.209s We have all the configration files just as they were after installing the ipa-client. The only modification was made to sshd_config as these two lines: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody I also tried removing the _srv_ in the ipa server line in sssd.conf, but that did not make any difference either. So, in brief: - SSH is fast for local users - authorized keys get retrieved quickly - no DNS issues. - IPA users take from 6 to 30 seconds to login (and also to perform sudo invocations) - While watching ssh logins, for ipa users, it takes a long time to pass these two: - input_userauth_pk_ok - sign_and_send_pubkey Could someone give me an idea of what to try next? Thanks!
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
