> > Hi,
> > I am experiencing slow logins and sudo authentication for servers joined to
> > my FreeIPA domain. I have been following the other recent thread on slow
> > logins and believe my issue is different.
> > I have replication setup with 2 FreeIPA servers at each of 3 sites. The
> > replication is working well and I am able to login correctly on client
> > servers with correct sudo permissions etc. Logins seem to take a long time
> > however. There seems to be some kind of DNS/connection timeout issues, see
> > the example below where the client times out on the auth01 server, then
> > retries and connects. I have also seen it switch to an alternate IPA server
> > on timeout. Total delay in this example is about 10 seconds however it can
> > take longer (approx 30 seconds). It is worth mentioning that client servers
> > in each site cannot connect to IPA servers is a different site - however in
> > the example below the auth01 IPA server is in the same site as the client
> > server. I'm not sure if there is any way to make the IPA clients site aware
> > so they prefer to log in to a local server?
> > On the IPA servers themselves there is no noticeable delay and once I have
> > authenticated with sudo once, subsequent attempts in the same login are
> > also near instant. I have not been able to find any reason for this delay
> > in any logs (which probably just means I'm not looking in the right place).
> > DNS servers are running on each IPA server and responding well whenever I
> > have tested.
> > IPA Servers: CentOS 7.2.1511 running IPA 4.2.0 (from standard CentOS repo)
> > Client servers: Ubuntu 14.04 running IPA 3.3.4 (From standard Ubuntu repo)
> > Any comments or suggestions greatly appreciated.
> > Thanks,
> > Neal.
> > Example sssd log for a "sudo -l" attempt.
> > (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_child_timeout]
> > (0x0040): Timeout for child  reached. In case KDC is distant or
> > network is slow you may consider increasing value of krb5_auth_timeout.
> > (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_auth_done] (0x0020):
> > child timed out!
> These debug messages seem to be telling you what the problem is. Have
> you tried how long does it take to kinit (preferably with
> KRB5_TRACE=/dev/stderr prepended) ?
Thanks for your response and sorry for my delay in replying. kinit takes
between 2 and 25 seconds to complete - the KRB5_TRACE option shows it trying a
random auth server, timing out and trying another random server until it picks
a local server which then completes almost immediately. This seems to confirm
that the problem is simply the server tries to authenticate against a FreeIPA
server that is unreachable and times out causing the randomly slow logins.
Given 6 auth servers with only 2 on each site there is a ~ 10% chance of
hitting 3 bad servers in a row before login succeeds - if each takes 20 seconds
that would explain the random login times of a few sec - 1 minute.
If I enter the local kdc servers manually in the realm section of krb5.conf
then ssh logins always happen in < 2sec - however I would prefer to avoid the
manual step of configuring and updating this (planning to expand out to a few
hundred servers over 4-5 sites). Manually setting these is likely to lead to
mistakes and it just feels inelegant compared to DNS SRV records.
I have seen https://www.freeipa.org/page/V4/DNS_Location_Mechanism which looks
good but is a proposal from 2013 with no indications that it has actually been
developed. I was also very interested by
https://www.freeipa.org/page/Howto/IPA_locations which would be perfect -
except the "ipa location-add" commands do not seem to be recognised by my
Am I missing a better way to handle the case of multiple locations with clients
in Location A being unable to authenticate against FreeIPA servers at location
Any suggestions greatly appreciated.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project