[Freeipa-users] openldap certs?
Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
What we're seeing is slow GDM logins, ssh authentications, and sudo -i responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. On 05/22/2014 09:36 AM, Rob Crittenden wrote: Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
On 05/22/2014 09:43 AM, Bret Wortman wrote: What we're seeing is slow GDM logins, ssh authentications, and sudo -i responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. Have you compared sssd.conf from clients in these two networks? Do you use enumeration? Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are. On 05/22/2014 09:36 AM, Rob Crittenden wrote: Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps. By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this: [domain/foo.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rm266ws-a.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = foo.net [nss] [pam] [sudo] [autofs] [ssh] [pac] On the other hand, if you meant something else, then I hope the answer's in the file. ;-) On 05/22/2014 10:15 AM, Dmitri Pal wrote: On 05/22/2014 09:43 AM, Bret Wortman wrote: What we're seeing is slow GDM logins, ssh authentications, and sudo -i responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. Have you compared sssd.conf from clients in these two networks? Do you use enumeration? Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are. On 05/22/2014 09:36 AM, Rob Crittenden wrote: Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
On Thu, May 22, 2014 at 10:36:45AM -0400, Bret Wortman wrote: I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps. By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this: I suspect there are some DNS issues or failover issues on the 'slow' network. Can you post the domain logs? If you are concerned about some private data in the logs, feel free to send them to me directly. [domain/foo.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rm266ws-a.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 Even with the IP addresses, the first server instance is _srv_ which means the SSSD would try to get the server list from the DNS. ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = foo.net [nss] [pam] [sudo] [autofs] [ssh] [pac] On the other hand, if you meant something else, then I hope the answer's in the file. ;-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
On 05/22/2014 10:36 AM, Bret Wortman wrote: I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps. That means you have problems with DNS that are worth looking into. By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this: No. I mean the ability of sssd to download everything when enumerate = true This causes a lot of traffic and overhead and a usual reason for low performance. We were unfortunate to include this setting into one of the early sssd.conf examples and people have been copying it around ever since though we strongly recommend against enabling it. [domain/foo.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rm266ws-a.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = foo.net [nss] [pam] [sudo] [autofs] [ssh] [pac] On the other hand, if you meant something else, then I hope the answer's in the file. ;-) On 05/22/2014 10:15 AM, Dmitri Pal wrote: On 05/22/2014 09:43 AM, Bret Wortman wrote: What we're seeing is slow GDM logins, ssh authentications, and sudo -i responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. Have you compared sssd.conf from clients in these two networks? Do you use enumeration? Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are. On 05/22/2014 09:36 AM, Rob Crittenden wrote: Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
It doesn't seem to have helped -- we're still pretty slow even with IP addresses in sssd.conf. On 05/22/2014 11:07 AM, Dmitri Pal wrote: On 05/22/2014 10:36 AM, Bret Wortman wrote: I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps. That means you have problems with DNS that are worth looking into. By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this: No. I mean the ability of sssd to download everything when enumerate = true This causes a lot of traffic and overhead and a usual reason for low performance. We were unfortunate to include this setting into one of the early sssd.conf examples and people have been copying it around ever since though we strongly recommend against enabling it. [domain/foo.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rm266ws-a.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = foo.net [nss] [pam] [sudo] [autofs] [ssh] [pac] On the other hand, if you meant something else, then I hope the answer's in the file. ;-) On 05/22/2014 10:15 AM, Dmitri Pal wrote: On 05/22/2014 09:43 AM, Bret Wortman wrote: What we're seeing is slow GDM logins, ssh authentications, and sudo -i responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. Have you compared sssd.conf from clients in these two networks? Do you use enumeration? Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are. On 05/22/2014 09:36 AM, Rob Crittenden wrote: Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
On Thu, May 22, 2014 at 11:16:57AM -0400, Bret Wortman wrote: It doesn't seem to have helped -- we're still pretty slow even with IP addresses in sssd.conf. Yes, I would expect the performance to be still slow, because when you perform authentication, the user information is always refreshed from the server, even with enumeration. This is to ensure correct and precise group membership at login time. On 05/22/2014 11:07 AM, Dmitri Pal wrote: On 05/22/2014 10:36 AM, Bret Wortman wrote: I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps. That means you have problems with DNS that are worth looking into. By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this: No. I mean the ability of sssd to download everything when enumerate = true This causes a lot of traffic and overhead and a usual reason for low performance. We were unfortunate to include this setting into one of the early sssd.conf examples and people have been copying it around ever since though we strongly recommend against enabling it. [domain/foo.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rm266ws-a.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = foo.net [nss] [pam] [sudo] [autofs] [ssh] [pac] On the other hand, if you meant something else, then I hope the answer's in the file. ;-) On 05/22/2014 10:15 AM, Dmitri Pal wrote: On 05/22/2014 09:43 AM, Bret Wortman wrote: What we're seeing is slow GDM logins, ssh authentications, and sudo -i responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. Have you compared sssd.conf from clients in these two networks? Do you use enumeration? Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are. On 05/22/2014 09:36 AM, Rob Crittenden wrote: Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
On 05/22/2014 02:25 PM, Jakub Hrozek wrote: On Thu, May 22, 2014 at 11:16:57AM -0400, Bret Wortman wrote: It doesn't seem to have helped -- we're still pretty slow even with IP addresses in sssd.conf. Yes, I would expect the performance to be still slow, because when you perform authentication, the user information is always refreshed from the server, even with enumeration. I do not think they have enumeration this is why this seems irrelevant. This is to ensure correct and precise group membership at login time. On 05/22/2014 11:07 AM, Dmitri Pal wrote: On 05/22/2014 10:36 AM, Bret Wortman wrote: I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps. That means you have problems with DNS that are worth looking into. By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this: No. I mean the ability of sssd to download everything when enumerate = true This causes a lot of traffic and overhead and a usual reason for low performance. We were unfortunate to include this setting into one of the early sssd.conf examples and people have been copying it around ever since though we strongly recommend against enabling it. [domain/foo.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rm266ws-a.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = foo.net [nss] [pam] [sudo] [autofs] [ssh] [pac] On the other hand, if you meant something else, then I hope the answer's in the file. ;-) On 05/22/2014 10:15 AM, Dmitri Pal wrote: On 05/22/2014 09:43 AM, Bret Wortman wrote: What we're seeing is slow GDM logins, ssh authentications, and sudo -i responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. Have you compared sssd.conf from clients in these two networks? Do you use enumeration? Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are. On 05/22/2014 09:36 AM, Rob Crittenden wrote: Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap certs?
On 05/22/2014 11:16 AM, Bret Wortman wrote: It doesn't seem to have helped -- we're still pretty slow even with IP addresses in sssd.conf. Then we need debug logs to see where the delays are. Put high debug level and zip the logs somewhere we can take a look at. Jakub is your guy. On 05/22/2014 11:07 AM, Dmitri Pal wrote: On 05/22/2014 10:36 AM, Bret Wortman wrote: I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps. That means you have problems with DNS that are worth looking into. By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this: No. I mean the ability of sssd to download everything when enumerate = true This causes a lot of traffic and overhead and a usual reason for low performance. We were unfortunate to include this setting into one of the early sssd.conf examples and people have been copying it around ever since though we strongly recommend against enabling it. [domain/foo.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rm266ws-a.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = foo.net [nss] [pam] [sudo] [autofs] [ssh] [pac] On the other hand, if you meant something else, then I hope the answer's in the file. ;-) On 05/22/2014 10:15 AM, Dmitri Pal wrote: On 05/22/2014 09:43 AM, Bret Wortman wrote: What we're seeing is slow GDM logins, ssh authentications, and sudo -i responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. Have you compared sssd.conf from clients in these two networks? Do you use enumeration? Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are. On 05/22/2014 09:36 AM, Rob Crittenden wrote: Bret Wortman wrote: Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users