Jakub, Thanks for the response...
I already had the selinux_provider=none in the sssd.conf Tthe sssd.conf is identical on both clients, with the exception of ipa_hostname [domain/ipa.mydomain.org] selinux_provider = none cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.mydomain.org id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = darkjedi-master01.div18.swri.edu chpass_provider = ipa ipa_server = _srv_, div18auth1.ipa.mydomain.org, div18auth2.ipa.mydomain.org dns_discovery_domain = ipa.mydomain.org [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ipa.mydomain.org [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] I verified the all the files in /etc/pam.d are the same on both clients using the checksum of the files. I turned logging up to 8 on both clients, and everything is fine until this part appears. Can't figure out why the slow host receives an extra request. The sssd_be client process is getting this request from where? After it finished up the SSS_PAM_ACCT_MGMT request, the slow client runs the SSS_PAM_OPEN_SESSION, which is fast, just like the fast client. Its wasting time in the SSS_PAM_ACCT_MGMT request, and I don't understand why that request is being received by sssd_be. Slow Client (Fri Mar 17 09:17:33 2017) [sssd[be[ipa.div18.swri.org]]] [dp_pam_handler] (0x0100): Got request with the following data (Fri Mar 17 09:17:33 2017) [sssd[be[ipa.div18.swri.org]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT <- Why does the slow client get this request first? Fast Client (Fri Mar 17 09:16:34 2017) [sssd[be[ipa.div18.swri.org]]] [dp_pam_handler] (0x0100): Got request with the following data (Fri Mar 17 09:16:34 2017) [sssd[be[ipa.div18.swri.org]]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION Also ipa version is 4.4.0 Regards, Jim > Greetings, > > My first post to the forum. > > We are running centos7 with freeipa. Syncing from AD, with one linux replica. > The ipa clients are getting installed by puppet. All the clients are > performing fine, except one. I am getting slow ssh logins to one host, as > well as slow 'id' and 'who', etc. > > I turned up the sss-debuglevel to 6, and compared the slow client to > another, and I am seeing a section in the logs that is unique to the slow > system, basically its doing a SSS_PAM_ACCT_MGMT, and I don't have any clue > why. Same user logging in to both clients, one client does the > SSS_PAM_ACCT_MGMT, followed by the SSS_PAM_OPEN_SESSION. While the other > client only does SSS_PAM_OPEN_SESSION, and is much faster. (1 second vs 2-8 > seconds) It seems the SSS_PAM_ACCT_MGMT is the slow culprit, and I don't know > why its running. > > Any idea what would cause this or where I should look? The timestamps from the logs are missing, so it's not clear which call is taking long. No server lookups should be performed in the account phase, though, so I can only think of the selinux label setting in libselinux, which is also done in the account phase to be taking long. can you try to disable the selinux provider for a test? selinux_provider=none btw why is the 'fast' client not running the account phase at all? Is pam_sss in the account stack in the PAM configuration? Is the access_provider set to anything else than IPA in the sssd.conf file? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project