Thanks Sumit. The version of sssd is 1.12.2-58.el7_1.17
I do not have any AD trusts defined, I suppose I should not see those messages. Thanks again. Guillem On 9 October 2015 at 14:06, Sumit Bose <[email protected]> wrote: > On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote: > > Sumit, > > > > Thanks for you reply. > > > > Ues, I have debug enabled: With level 5 I see that here is where it > spends > > most of its time: > > > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > > (0x0200): Got request for [0x1][1][name=testuser] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] > (0x0100): > > Request processed. Returned 0,0,Success > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > > (0x0200): Got request for [0x1][1][name=testuser] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] > (0x0100): > > Request processed. Returned 0,0,Success > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > > (0x0200): Got request for [0x3][1][name=testuser] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] > (0x0100): > > Request processed. Returned 0,0,Success > > > > Note that I removed the real domain name, also to make it a short line. > > > > > > After reading in this pots: > > > > https://www.centos.org/forums/viewtopic.php?f=47&t=53652 > > > > I actually saw that setting selinux_provider = none improved things > quite a > > lot. > > Which SSSD version are you using, this issue was tracked by > https://fedorahosted.org/sssd/ticket/2624 and should be fixed in recent > versions of SSSD. > > > > > Still, what is this message: > > > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null) > > Those are harmless. If you have trust enabled with with AD we have to > figure out if the POSIX UID for a user should be calculated based in the > SID or taken from a suitable LDAP attribute from AD. Since this happen > in the common code for user lookup it is executed for IPA users as well. > But I agree that this message is annoying and created > https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users. > > bye, > Sumit > > > > > ? > > > > Regards, > > > > Guillem > > > > On 7 October 2015 at 12:35, Sumit Bose <[email protected]> wrote: > > > > > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > > > > All, > > > > > > > > I have an IPA 4.1 installation that works perfectly. We just suffer > from > > > > slow logins ( this is also slow in other operations such invoking > SUDO ) > > > > > > > > IPA user: > > > > > > > > 1st. login: 30 seconds > > > > 2nd login: 8 seconds > > > > 3rd login: 6.5 seconds > > > > 4rth login: 20 seconds > > > > > > > > Local user: > > > > > > > > Consistently under 2 seconds > > > > > > > > In SSH have tried: > > > > > > > > Setting UseDNS to no > > > > Setting GSSAPIAuthentication to no > > > > > > > > I have tried various things that would work on an slow SSH, with no > > > effect. > > > > In fact, local users have no problem. > > > > > > > > DNS both forward and reverse works well, works fast and gives > consistent > > > > results. That is no the issue. > > > > > > > > While trying to find out more about the issue, I see that after the > > > client > > > > has connected, it spends most of the time here: > > > > > > > > [...] > > > > debug2: input_userauth_pk_ok: fp > > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > > > debug3: sign_and_send_pubkey: RSA > > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > > > debug1: Authentication succeeded (publickey). > > > > [...] > > > > > > > > At first I though it might be the key retrival from the IPA service, > but > > > it > > > > is actually quite fast: > > > > > > > > time /usr/bin/sss_ssh_authorizedkeys testuser > > > > real 0m0.209s > > > > > > > > We have all the configration files just as they were after > installing the > > > > ipa-client. The only modification was made to sshd_config as these > two > > > > lines: > > > > > > > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > > > > AuthorizedKeysCommandUser nobody > > > > > > > > I also tried removing the _srv_ in the ipa server line in sssd.conf, > but > > > > that did not make any difference either. > > > > > > > > So, in brief: > > > > > > > > - SSH is fast for local users > > > > - authorized keys get retrieved quickly > > > > - no DNS issues. > > > > - IPA users take from 6 to 30 seconds to login (and also to perform > sudo > > > > invocations) > > > > - While watching ssh logins, for ipa users, it takes a long time to > pass > > > > these two: > > > > > > > > - input_userauth_pk_ok > > > > - sign_and_send_pubkey > > > > > > > > Could someone give me an idea of what to try next? > > > > > > Please check the SSSD logs especailly the ones for the domain. You > might > > > need to increase the debug_level, please see > > > https://fedorahosted.org/sssd/wiki/Troubleshooting for details. > > > > > > bye, > > > Sumit > > > > > > > > > > > Thanks! > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
