On 25.8.2016 22:30, Jakub Hrozek wrote:
> On Thu, Aug 25, 2016 at 04:11:29PM +0000, Neal Harrington | i-Neda Ltd wrote:
>>>> Hi,
>>>> I am experiencing slow logins and sudo authentication for servers joined 
>>>> to my FreeIPA domain. I have been following the other recent thread on 
>>>> slow logins and believe my issue is different.
>>>> I have replication setup with 2 FreeIPA servers at each of 3 sites. The 
>>>> replication is working well and I am able to login correctly on client 
>>>> servers with correct sudo permissions etc. Logins seem to take a long time 
>>>> however. There seems to be some kind of DNS/connection timeout issues, see 
>>>> the example below where the client times out on the auth01 server, then 
>>>> retries and connects. I have also seen it switch to an alternate IPA 
>>>> server on timeout. Total delay in this example is about 10 seconds however 
>>>> it can take longer (approx 30 seconds). It is worth mentioning that client 
>>>> servers in each site cannot connect to IPA servers is a different site - 
>>>> however in the example below the auth01 IPA server is in the same site as 
>>>> the client server. I'm not sure if there is any way to make the IPA 
>>>> clients site aware so they prefer to log in to a local server?
>>>> On the IPA servers themselves there is no noticeable delay and once I have 
>>>> authenticated with sudo once, subsequent attempts in the same login are 
>>>> also near instant. I have not been able to find any reason for this delay 
>>>> in any logs (which probably just means I'm not looking in the right place).
>>>> DNS servers are running on each IPA server and responding well whenever I 
>>>> have tested.
>>>> IPA Servers: CentOS 7.2.1511 running IPA 4.2.0 (from standard CentOS repo)
>>>> Client servers: Ubuntu 14.04 running IPA 3.3.4 (From standard Ubuntu repo)
>>>> Any comments or suggestions greatly appreciated.
>>>> Thanks,
>>>> Neal.
>>>> Example sssd log for a "sudo -l" attempt.
>>>> (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_child_timeout]
>>>> (0x0040): Timeout for child [7430] reached. In case KDC is distant or
>>>> network is slow you may consider increasing value of krb5_auth_timeout.
>>>> (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_auth_done] (0x0020):
>>>> child timed out!
>>> These debug messages seem to be telling you what the problem is. Have
>>> you tried how long does it take to kinit (preferably with
>>> KRB5_TRACE=/dev/stderr prepended) ?
>> Hi Jakub,
>> Thanks for your response and sorry for my delay in replying. kinit takes 
>> between 2 and 25 seconds to complete - the KRB5_TRACE option shows it trying 
>> a random auth server, timing out and trying another random server until it 
>> picks a local server which then completes almost immediately. This seems to 
>> confirm that the problem is simply the server tries to authenticate against 
>> a FreeIPA server that is unreachable and times out causing the randomly slow 
>> logins. Given 6 auth servers with only 2 on each site there is a ~ 10% 
>> chance of hitting 3 bad servers in a row before login succeeds - if each 
>> takes 20 seconds that would explain the random login times of a few sec - 1 
>> minute.
>> If I enter the local kdc servers manually in the realm section of krb5.conf 
>> then ssh logins always happen in < 2sec - however I would prefer to avoid 
>> the manual step of configuring and updating this (planning to expand out to 
>> a few hundred servers over 4-5 sites). Manually setting these is likely to 
>> lead to mistakes and it just feels inelegant compared to DNS SRV records.
>> I have seen https://www.freeipa.org/page/V4/DNS_Location_Mechanism which 
>> looks good but is a proposal from 2013 with no indications that it has 
>> actually been developed. I was also very interested by 
>> https://www.freeipa.org/page/Howto/IPA_locations which would be perfect - 
>> except the "ipa location-add" commands do not seem to be recognised by my 
>> FreeIPA installs.
>> Am I missing a better way to handle the case of multiple locations with 
>> clients in Location A being unable to authenticate against FreeIPA servers 
>> at location B?
>> Any suggestions greatly appreciated.
>> Thanks,
>> Neal.
> Petr Spacek (CC) has been working lately in this area, but frankly I
> don't know what the status is or what a recommendation for current
> versions might be..


Field "Target version: 4.4.0" on page
is correct - the feature is implemented in FreeIPA 4.4.0.

Please stay tuned until your distribution provides sufficiently new version of

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to