Re: [Freeipa-users] Slow SSH login for IPA users only
Thanks Sumit. The version of sssd is 1.12.2-58.el7_1.17 I do not have any AD trusts defined, I suppose I should not see those messages. Thanks again. Guillem On 9 October 2015 at 14:06, Sumit Bose wrote: > On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote: > > Sumit, > > > > Thanks for you reply. > > > > Ues, I have debug enabled: With level 5 I see that here is where it > spends > > most of its time: > > > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > > (0x0200): Got request for [0x1][1][name=testuser] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] > (0x0100): > > Request processed. Returned 0,0,Success > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > > (0x0200): Got request for [0x1][1][name=testuser] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] > (0x0100): > > Request processed. Returned 0,0,Success > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > > (0x0200): Got request for [0x3][1][name=testuser] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null)] > > (Wed Oct 7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] > (0x0100): > > Request processed. Returned 0,0,Success > > > > Note that I removed the real domain name, also to make it a short line. > > > > > > After reading in this pots: > > > > https://www.centos.org/forums/viewtopic.php?f=47&t=53652 > > > > I actually saw that setting selinux_provider = none improved things > quite a > > lot. > > Which SSSD version are you using, this issue was tracked by > https://fedorahosted.org/sssd/ticket/2624 and should be fixed in recent > versions of SSSD. > > > > > Still, what is this message: > > > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > domain SID from [(null) > > Those are harmless. If you have trust enabled with with AD we have to > figure out if the POSIX UID for a user should be calculated based in the > SID or taken from a suitable LDAP attribute from AD. Since this happen > in the common code for user lookup it is executed for IPA users as well. > But I agree that this message is annoying and created > https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users. > > bye, > Sumit > > > > > ? > > > > Regards, > > > > Guillem > > > > On 7 October 2015 at 12:35, Sumit Bose wrote: > > > > > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > > > > All, > > > > > > > > I have an IPA 4.1 installation that works perfectly. We just suffer > from > > > > slow logins ( this is also slow in other operations such invoking > SUDO ) > > > > > > > > IPA user: > > > > > > > > 1st. login: 30 seconds > > > > 2nd login: 8 seconds > > > > 3rd login: 6.5 seconds > > > > 4rth login: 20 seconds > > > > > > > > Local user: > > > > > > > > Consistently under 2 seconds > > > > > > > > In SSH have tried: > > > > > > > > Setting UseDNS to no > > > > Setting GSSAPIAuthentication to no > > > > > > > > I have tried various things that would work on an slow SSH, with no > > > effect. > > > > In fact, local users have no problem. > > > > > > > > DNS both forward and reverse works well, works fast and gives > consistent > > > > results. That is no the issue. > > > > > > > > While trying to find out more about the issue, I see that after the > > > client > > > > has connected, it spends most of the time here: > > > > > > > > [...] > > > > debug2: input_userauth_pk_ok: fp > > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > > > debug3: sig
Re: [Freeipa-users] Slow SSH login for IPA users only
On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote: > Sumit, > > Thanks for you reply. > > Ues, I have debug enabled: With level 5 I see that here is where it spends > most of its time: > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > (0x0200): Got request for [0x1][1][name=testuser] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): > Request processed. Returned 0,0,Success > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > (0x0200): Got request for [0x1][1][name=testuser] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): > Request processed. Returned 0,0,Success > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > (0x0200): Got request for [0x3][1][name=testuser] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): > Request processed. Returned 0,0,Success > > Note that I removed the real domain name, also to make it a short line. > > > After reading in this pots: > > https://www.centos.org/forums/viewtopic.php?f=47&t=53652 > > I actually saw that setting selinux_provider = none improved things quite a > lot. Which SSSD version are you using, this issue was tracked by https://fedorahosted.org/sssd/ticket/2624 and should be fixed in recent versions of SSSD. > > Still, what is this message: > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null) Those are harmless. If you have trust enabled with with AD we have to figure out if the POSIX UID for a user should be calculated based in the SID or taken from a suitable LDAP attribute from AD. Since this happen in the common code for user lookup it is executed for IPA users as well. But I agree that this message is annoying and created https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users. bye, Sumit > > ? > > Regards, > > Guillem > > On 7 October 2015 at 12:35, Sumit Bose wrote: > > > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > > > All, > > > > > > I have an IPA 4.1 installation that works perfectly. We just suffer from > > > slow logins ( this is also slow in other operations such invoking SUDO ) > > > > > > IPA user: > > > > > > 1st. login: 30 seconds > > > 2nd login: 8 seconds > > > 3rd login: 6.5 seconds > > > 4rth login: 20 seconds > > > > > > Local user: > > > > > > Consistently under 2 seconds > > > > > > In SSH have tried: > > > > > > Setting UseDNS to no > > > Setting GSSAPIAuthentication to no > > > > > > I have tried various things that would work on an slow SSH, with no > > effect. > > > In fact, local users have no problem. > > > > > > DNS both forward and reverse works well, works fast and gives consistent > > > results. That is no the issue. > > > > > > While trying to find out more about the issue, I see that after the > > client > > > has connected, it spends most of the time here: > > > > > > [...] > > > debug2: input_userauth_pk_ok: fp > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > > debug3: sign_and_send_pubkey: RSA > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > > debug1: Authentication succeeded (publickey). > > > [...] > > > > > > At first I though it might be the key retrival from the IPA service, but > > it > > > is actually quite fast: > > > > > > time /usr/bin/sss_ssh_authorizedkeys testuser > > > real0m0.209s > > > > > > We have all the configration files just as they were after installing the > > > ipa-client. The only modi
Re: [Freeipa-users] Slow SSH login for IPA users only
Sumit, Thanks for you reply. Ues, I have debug enabled: With level 5 I see that here is where it spends most of its time: (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success Note that I removed the real domain name, also to make it a short line. After reading in this pots: https://www.centos.org/forums/viewtopic.php?f=47&t=53652 I actually saw that setting selinux_provider = none improved things quite a lot. Still, what is this message: [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null) ? Regards, Guillem On 7 October 2015 at 12:35, Sumit Bose wrote: > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > > All, > > > > I have an IPA 4.1 installation that works perfectly. We just suffer from > > slow logins ( this is also slow in other operations such invoking SUDO ) > > > > IPA user: > > > > 1st. login: 30 seconds > > 2nd login: 8 seconds > > 3rd login: 6.5 seconds > > 4rth login: 20 seconds > > > > Local user: > > > > Consistently under 2 seconds > > > > In SSH have tried: > > > > Setting UseDNS to no > > Setting GSSAPIAuthentication to no > > > > I have tried various things that would work on an slow SSH, with no > effect. > > In fact, local users have no problem. > > > > DNS both forward and reverse works well, works fast and gives consistent > > results. That is no the issue. > > > > While trying to find out more about the issue, I see that after the > client > > has connected, it spends most of the time here: > > > > [...] > > debug2: input_userauth_pk_ok: fp > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > debug3: sign_and_send_pubkey: RSA > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > debug1: Authentication succeeded (publickey). > > [...] > > > > At first I though it might be the key retrival from the IPA service, but > it > > is actually quite fast: > > > > time /usr/bin/sss_ssh_authorizedkeys testuser > > real0m0.209s > > > > We have all the configration files just as they were after installing the > > ipa-client. The only modification was made to sshd_config as these two > > lines: > > > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > > AuthorizedKeysCommandUser nobody > > > > I also tried removing the _srv_ in the ipa server line in sssd.conf, but > > that did not make any difference either. > > > > So, in brief: > > > > - SSH is fast for local users > > - authorized keys get retrieved quickly > > - no DNS issues. > > - IPA users take from 6 to 30 seconds to login (and also to perform sudo > > invocations) > > - While watching ssh logins, for ipa users, it takes a long time to pass > > these two: > > > >- input_userauth_pk_ok > >- sign_and_send_pubkey > > > > Could someone give me an idea of what to try next? > > Please check the SSSD logs especailly the ones for the domain. You might > need to increase the debug_level, please see > https://fedorahosted.org/sssd/wiki/Troublesh
Re: [Freeipa-users] Slow SSH login for IPA users only
On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > All, > > I have an IPA 4.1 installation that works perfectly. We just suffer from > slow logins ( this is also slow in other operations such invoking SUDO ) > > IPA user: > > 1st. login: 30 seconds > 2nd login: 8 seconds > 3rd login: 6.5 seconds > 4rth login: 20 seconds > > Local user: > > Consistently under 2 seconds > > In SSH have tried: > > Setting UseDNS to no > Setting GSSAPIAuthentication to no > > I have tried various things that would work on an slow SSH, with no effect. > In fact, local users have no problem. > > DNS both forward and reverse works well, works fast and gives consistent > results. That is no the issue. > > While trying to find out more about the issue, I see that after the client > has connected, it spends most of the time here: > > [...] > debug2: input_userauth_pk_ok: fp > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > debug3: sign_and_send_pubkey: RSA > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > debug1: Authentication succeeded (publickey). > [...] > > At first I though it might be the key retrival from the IPA service, but it > is actually quite fast: > > time /usr/bin/sss_ssh_authorizedkeys testuser > real0m0.209s > > We have all the configration files just as they were after installing the > ipa-client. The only modification was made to sshd_config as these two > lines: > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > AuthorizedKeysCommandUser nobody > > I also tried removing the _srv_ in the ipa server line in sssd.conf, but > that did not make any difference either. > > So, in brief: > > - SSH is fast for local users > - authorized keys get retrieved quickly > - no DNS issues. > - IPA users take from 6 to 30 seconds to login (and also to perform sudo > invocations) > - While watching ssh logins, for ipa users, it takes a long time to pass > these two: > >- input_userauth_pk_ok >- sign_and_send_pubkey > > Could someone give me an idea of what to try next? Please check the SSSD logs especailly the ones for the domain. You might need to increase the debug_level, please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. bye, Sumit > > Thanks! > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Slow SSH login for IPA users only
All, I have an IPA 4.1 installation that works perfectly. We just suffer from slow logins ( this is also slow in other operations such invoking SUDO ) IPA user: 1st. login: 30 seconds 2nd login: 8 seconds 3rd login: 6.5 seconds 4rth login: 20 seconds Local user: Consistently under 2 seconds In SSH have tried: Setting UseDNS to no Setting GSSAPIAuthentication to no I have tried various things that would work on an slow SSH, with no effect. In fact, local users have no problem. DNS both forward and reverse works well, works fast and gives consistent results. That is no the issue. While trying to find out more about the issue, I see that after the client has connected, it spends most of the time here: [...] debug2: input_userauth_pk_ok: fp e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx debug3: sign_and_send_pubkey: RSA e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx debug1: Authentication succeeded (publickey). [...] At first I though it might be the key retrival from the IPA service, but it is actually quite fast: time /usr/bin/sss_ssh_authorizedkeys testuser real0m0.209s We have all the configration files just as they were after installing the ipa-client. The only modification was made to sshd_config as these two lines: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody I also tried removing the _srv_ in the ipa server line in sssd.conf, but that did not make any difference either. So, in brief: - SSH is fast for local users - authorized keys get retrieved quickly - no DNS issues. - IPA users take from 6 to 30 seconds to login (and also to perform sudo invocations) - While watching ssh logins, for ipa users, it takes a long time to pass these two: - input_userauth_pk_ok - sign_and_send_pubkey Could someone give me an idea of what to try next? Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project