On Mon, Aug 01, 2016 at 02:35:04PM +0000, Neal Harrington | i-Neda Ltd wrote:
> Hi,
> 
> 
> I am experiencing slow logins and sudo authentication for servers joined to 
> my FreeIPA domain. I have been following the other recent thread on slow 
> logins and believe my issue is different.
> 
> 
> I have replication setup with 2 FreeIPA servers at each of 3 sites. The 
> replication is working well and I am able to login correctly on client 
> servers with correct sudo permissions etc. Logins seem to take a long time 
> however. There seems to be some kind of DNS/connection timeout issues, see 
> the example below where the client times out on the auth01 server, then 
> retries and connects. I have also seen it switch to an alternate IPA server 
> on timeout. Total delay in this example is about 10 seconds however it can 
> take longer (approx 30 seconds). It is worth mentioning that client servers 
> in each site cannot connect to IPA servers is a different site - however in 
> the example below the auth01 IPA server is in the same site as the client 
> server. I'm not sure if there is any way to make the IPA clients site aware 
> so they prefer to log in to a local server?
> 
> 
> On the IPA servers themselves there is no noticeable delay and once I have 
> authenticated with sudo once, subsequent attempts in the same login are also 
> near instant. I have not been able to find any reason for this delay in any 
> logs (which probably just means I'm not looking in the right place).
> 
> 
> DNS servers are running on each IPA server and responding well whenever I 
> have tested.
> 
> 
> IPA Servers: CentOS 7.2.1511 running IPA 4.2.0 (from standard CentOS repo)
> 
> Client servers: Ubuntu 14.04 running IPA 3.3.4 (From standard Ubuntu repo)
> 
> 
> Any comments or suggestions greatly appreciated.
> 
> 
> Thanks,
> 
> Neal.
> 
> 
> Example sssd log for a "sudo -l" attempt.
> 
> (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_child_timeout]
> (0x0040): Timeout for child [7430] reached. In case KDC is distant or
> network is slow you may consider increasing value of krb5_auth_timeout.
> (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_auth_done] (0x0020):
> child timed out!

These debug messages seem to be telling you what the problem is. Have
you tried how long does it take to kinit (preferably with
KRB5_TRACE=/dev/stderr prepended) ?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to