After a lot of reading, adding "ignore_group_members = True" to sssd.conf vastly dropped the login time. From a completely blank cache taking > 25 seconds to login to ~1 second to login.
On Wed, Jan 6, 2021 at 1:59 PM Mark Potter <ma...@dug.com> wrote: > We are experiencing slow logins on all client machines. At present this is > only two machines but have experienced the same issue with prior > installations. We have migrated the entirety of our ancient OpenLDAP > install to FreeIPA. Our environment is: > > 1 x IPA Server > 3 x IPA Replicas > > All of these have the following specs: > > Memory: 16GiB > CPU: 6 Cores > Disk: 64GiB > > When a client has its cache cleared or it has expired, such as not being > logged into overnight, we have seen quite a delay logging in, especially > compared to our antiquated OpenLDAP install. In a test this morning the two > clients took ~30 seconds for the first login of the day. Once this delay is > seen it is not seen again for a while (I haven't timed it at this point). > > In the logs I see the following: > > 21k instance of: > > [sssd[be[example.com]]] [sdap_process_ghost_members] (0x0400): Adding > ghost member for group [user...@example.com] > > 32k instances of: > > [sssd[be[example.com]]] [sdap_get_primary_name] (0x0400): Processing > object user767 > > 151 instances of (the only result for grepping the log for "fail") > > [sssd[be[example.com]]] [sdap_save_grpmem] (0x0400): Failed to get group > sid > > 148 instances of (the only result for grepping the log for "warn"): > > [sssd[be[example.com]]] [sdap_get_generic_ext_send] (0x0400): WARNING: > Disabling paging because scope is set to base. > > These cover multiple users and multiple groups. I can provide logs but a > clean log and a single login at log level 6 generated a 7.2 MiB log file. > It looks like it's doing some sort of enumeration but I don't know enough > to know what exactly is going on. > > The load on the IPA server and replicas isn't remotely high at any point. > We will end up with > 8k machines authenticating to this cluster so ~30 > seconds to login to any given machine for jobs is a lot of lost time. > > ---sssd.conf--- > [domain/dug.com] > > cache_credentials = True > debug_level = 6 > krb5_store_password_if_offline = True > ipa_domain = example.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = client0001.example.com > chpass_provider = ipa > ipa_server = _srv_, ipa0001.example.com, ipa0002.example.com, > ipa0003.example.com, ipa0004.example.com > ldap_tls_cacert = /etc/ipa/ca.crt > autofs_provider = ipa > ipa_automount_location = local-map > [sssd] > services = nss, sudo, pam, autofs, ssh > > domains = example.com > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > [secrets] > > [session_recording] > ---sssd.conf--- > > Any help would be appreciated! > > -- > > *Mark Potter* > > Senior Linux Administrator > -- *Mark Potter* Senior Linux Administrator DownUnder GeoSolutions 16200 Park Row Drive, Suite 100 Houston TX 77084, USA tel +1 832 582 3221 ma...@dug.com www.dug.com
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org