On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > All, > > I have an IPA 4.1 installation that works perfectly. We just suffer from > slow logins ( this is also slow in other operations such invoking SUDO ) > > IPA user: > > 1st. login: 30 seconds > 2nd login: 8 seconds > 3rd login: 6.5 seconds > 4rth login: 20 seconds > > Local user: > > Consistently under 2 seconds > > In SSH have tried: > > Setting UseDNS to no > Setting GSSAPIAuthentication to no > > I have tried various things that would work on an slow SSH, with no effect. > In fact, local users have no problem. > > DNS both forward and reverse works well, works fast and gives consistent > results. That is no the issue. > > While trying to find out more about the issue, I see that after the client > has connected, it spends most of the time here: > > [...] > debug2: input_userauth_pk_ok: fp > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > debug3: sign_and_send_pubkey: RSA > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > debug1: Authentication succeeded (publickey). > [...] > > At first I though it might be the key retrival from the IPA service, but it > is actually quite fast: > > time /usr/bin/sss_ssh_authorizedkeys testuser > real 0m0.209s > > We have all the configration files just as they were after installing the > ipa-client. The only modification was made to sshd_config as these two > lines: > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > AuthorizedKeysCommandUser nobody > > I also tried removing the _srv_ in the ipa server line in sssd.conf, but > that did not make any difference either. > > So, in brief: > > - SSH is fast for local users > - authorized keys get retrieved quickly > - no DNS issues. > - IPA users take from 6 to 30 seconds to login (and also to perform sudo > invocations) > - While watching ssh logins, for ipa users, it takes a long time to pass > these two: > > - input_userauth_pk_ok > - sign_and_send_pubkey > > Could someone give me an idea of what to try next?
Please check the SSSD logs especailly the ones for the domain. You might need to increase the debug_level, please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. bye, Sumit > > Thanks! > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project