Sumit, Thanks for you reply.
Ues, I have debug enabled: With level 5 I see that here is where it spends most of its time: (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success Note that I removed the real domain name, also to make it a short line. After reading in this pots: https://www.centos.org/forums/viewtopic.php?f=47&t=53652 I actually saw that setting selinux_provider = none improved things quite a lot. Still, what is this message: [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null) ? Regards, Guillem On 7 October 2015 at 12:35, Sumit Bose <[email protected]> wrote: > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > > All, > > > > I have an IPA 4.1 installation that works perfectly. We just suffer from > > slow logins ( this is also slow in other operations such invoking SUDO ) > > > > IPA user: > > > > 1st. login: 30 seconds > > 2nd login: 8 seconds > > 3rd login: 6.5 seconds > > 4rth login: 20 seconds > > > > Local user: > > > > Consistently under 2 seconds > > > > In SSH have tried: > > > > Setting UseDNS to no > > Setting GSSAPIAuthentication to no > > > > I have tried various things that would work on an slow SSH, with no > effect. > > In fact, local users have no problem. > > > > DNS both forward and reverse works well, works fast and gives consistent > > results. That is no the issue. > > > > While trying to find out more about the issue, I see that after the > client > > has connected, it spends most of the time here: > > > > [...] > > debug2: input_userauth_pk_ok: fp > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > debug3: sign_and_send_pubkey: RSA > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > debug1: Authentication succeeded (publickey). > > [...] > > > > At first I though it might be the key retrival from the IPA service, but > it > > is actually quite fast: > > > > time /usr/bin/sss_ssh_authorizedkeys testuser > > real 0m0.209s > > > > We have all the configration files just as they were after installing the > > ipa-client. The only modification was made to sshd_config as these two > > lines: > > > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > > AuthorizedKeysCommandUser nobody > > > > I also tried removing the _srv_ in the ipa server line in sssd.conf, but > > that did not make any difference either. > > > > So, in brief: > > > > - SSH is fast for local users > > - authorized keys get retrieved quickly > > - no DNS issues. > > - IPA users take from 6 to 30 seconds to login (and also to perform sudo > > invocations) > > - While watching ssh logins, for ipa users, it takes a long time to pass > > these two: > > > > - input_userauth_pk_ok > > - sign_and_send_pubkey > > > > Could someone give me an idea of what to try next? > > Please check the SSSD logs especailly the ones for the domain. You might > need to increase the debug_level, please see > https://fedorahosted.org/sssd/wiki/Troubleshooting for details. > > bye, > Sumit > > > > > Thanks! > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
