Re: [Freeipa-users] Slow SSH login for IPA users only

2015-10-09 Thread Sumit Bose 
On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote:
> Sumit,
> 
> Thanks for you reply.
> 
> Ues, I have debug enabled: With level 5 I see that here is where it spends
> most of its time:
> 
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x1][1][name=testuser]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x1][1][name=testuser]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x3][1][name=testuser]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> 
> Note that I removed the real domain name, also to make it a short line.
> 
> 
> After  reading in this pots:
> 
> https://www.centos.org/forums/viewtopic.php?f=47=53652
> 
> I actually saw that setting selinux_provider = none improved things quite a
> lot.

Which SSSD version are you using, this issue was tracked by
https://fedorahosted.org/sssd/ticket/2624 and should be fixed in recent
versions of SSSD.

> 
> Still, what is this message:
> 
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)

Those are harmless. If you have trust enabled with with AD we have to
figure out if the POSIX UID for a user should be calculated based in the
SID or taken from a suitable LDAP attribute from AD. Since this happen
in the common code for user lookup it is executed for IPA users as well.
But I agree that this message is annoying and created
https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users.

bye,
Sumit

> 
> ?
> 
> Regards,
> 
> Guillem
> 
> On 7 October 2015 at 12:35, Sumit Bose  wrote:
> 
> > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> > > All,
> > >
> > > I have an IPA 4.1 installation that works perfectly. We just suffer from
> > > slow logins ( this is also slow in other operations such invoking SUDO )
> > >
> > > IPA user:
> > >
> > > 1st. login: 30 seconds
> > > 2nd login: 8 seconds
> > > 3rd  login: 6.5 seconds
> > > 4rth login: 20 seconds
> > >
> > > Local user:
> > >
> > > Consistently under 2  seconds
> > >
> > > In SSH have tried:
> > >
> > > Setting UseDNS to no
> > > Setting GSSAPIAuthentication to no
> > >
> > > I have tried various things that would work on an slow SSH, with no
> > effect.
> > > In fact, local users have no problem.
> > >
> > > DNS both forward and reverse works well, works fast and gives consistent
> > > results. That is no the issue.
> > >
> > > While trying to find out more about the issue, I see that after the
> > client
> > > has connected, it spends most of the time here:
> > >
> > > [...]
> > > debug2: input_userauth_pk_ok: fp
> > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > > debug3: sign_and_send_pubkey: RSA
> > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > > debug1: Authentication succeeded (publickey).
> > > [...]
> > >
> > > At first I though it might be the key retrival from the IPA service, but
> > it
> > > is actually quite fast:
> > >
> > > time /usr/bin/sss_ssh_authorizedkeys testuser
> > > real0m0.209s
> > >
> > > We have all the configration files just as they were after installing the
> > >

Re: [Freeipa-users] Slow SSH login for IPA users only

2015-10-09 Thread Guillem Liarte 
Thanks Sumit.

The version of sssd is 1.12.2-58.el7_1.17

I do not have any AD trusts defined, I suppose I should not see those
messages.

Thanks again.

Guillem

On 9 October 2015 at 14:06, Sumit Bose  wrote:

> On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote:
> > Sumit,
> >
> > Thanks for you reply.
> >
> > Ues, I have debug enabled: With level 5 I see that here is where it
> spends
> > most of its time:
> >
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x1][1][name=testuser]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback]
> (0x0100):
> > Request processed. Returned 0,0,Success
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x1][1][name=testuser]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback]
> (0x0100):
> > Request processed. Returned 0,0,Success
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x3][1][name=testuser]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback]
> (0x0100):
> > Request processed. Returned 0,0,Success
> >
> > Note that I removed the real domain name, also to make it a short line.
> >
> >
> > After  reading in this pots:
> >
> > https://www.centos.org/forums/viewtopic.php?f=47=53652
> >
> > I actually saw that setting selinux_provider = none improved things
> quite a
> > lot.
>
> Which SSSD version are you using, this issue was tracked by
> https://fedorahosted.org/sssd/ticket/2624 and should be fixed in recent
> versions of SSSD.
>
> >
> > Still, what is this message:
> >
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)
>
> Those are harmless. If you have trust enabled with with AD we have to
> figure out if the POSIX UID for a user should be calculated based in the
> SID or taken from a suitable LDAP attribute from AD. Since this happen
> in the common code for user lookup it is executed for IPA users as well.
> But I agree that this message is annoying and created
> https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users.
>
> bye,
> Sumit
>
> >
> > ?
> >
> > Regards,
> >
> > Guillem
> >
> > On 7 October 2015 at 12:35, Sumit Bose  wrote:
> >
> > > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> > > > All,
> > > >
> > > > I have an IPA 4.1 installation that works perfectly. We just suffer
> from
> > > > slow logins ( this is also slow in other operations such invoking
> SUDO )
> > > >
> > > > IPA user:
> > > >
> > > > 1st. login: 30 seconds
> > > > 2nd login: 8 seconds
> > > > 3rd  login: 6.5 seconds
> > > > 4rth login: 20 seconds
> > > >
> > > > Local user:
> > > >
> > > > Consistently under 2  seconds
> > > >
> > > > In SSH have tried:
> > > >
> > > > Setting UseDNS to no
> > > > Setting GSSAPIAuthentication to no
> > > >
> > > > I have tried various things that would work on an slow SSH, with no
> > > effect.
> > > > In fact, local users have no problem.
> > > >
> > > > DNS both forward and reverse works well, works fast and gives
> consistent
> > > > results. That is no the issue.
> > > >
> > > > While trying to find out more about the issue, I see that after the
> > > client
> > > > has connected, it spends most of the time here:
> > > >
> > > > [...]
> > > > debug2: input_userauth_pk_ok: fp
> > > >

Re: [Freeipa-users] Slow SSH login for IPA users only

2015-10-08 Thread Guillem Liarte 
Sumit,

Thanks for you reply.

Ues, I have debug enabled: With level 5 I see that here is where it spends
most of its time:

(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
(0x0200): Got request for [0x1][1][name=testuser]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
(0x0200): Got request for [0x1][1][name=testuser]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
(0x0200): Got request for [0x3][1][name=testuser]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success

Note that I removed the real domain name, also to make it a short line.


After  reading in this pots:

https://www.centos.org/forums/viewtopic.php?f=47=53652

I actually saw that setting selinux_provider = none improved things quite a
lot.

Still, what is this message:

[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)

?

Regards,

Guillem

On 7 October 2015 at 12:35, Sumit Bose  wrote:

> On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> > All,
> >
> > I have an IPA 4.1 installation that works perfectly. We just suffer from
> > slow logins ( this is also slow in other operations such invoking SUDO )
> >
> > IPA user:
> >
> > 1st. login: 30 seconds
> > 2nd login: 8 seconds
> > 3rd  login: 6.5 seconds
> > 4rth login: 20 seconds
> >
> > Local user:
> >
> > Consistently under 2  seconds
> >
> > In SSH have tried:
> >
> > Setting UseDNS to no
> > Setting GSSAPIAuthentication to no
> >
> > I have tried various things that would work on an slow SSH, with no
> effect.
> > In fact, local users have no problem.
> >
> > DNS both forward and reverse works well, works fast and gives consistent
> > results. That is no the issue.
> >
> > While trying to find out more about the issue, I see that after the
> client
> > has connected, it spends most of the time here:
> >
> > [...]
> > debug2: input_userauth_pk_ok: fp
> > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > debug3: sign_and_send_pubkey: RSA
> > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > debug1: Authentication succeeded (publickey).
> > [...]
> >
> > At first I though it might be the key retrival from the IPA service, but
> it
> > is actually quite fast:
> >
> > time /usr/bin/sss_ssh_authorizedkeys testuser
> > real0m0.209s
> >
> > We have all the configration files just as they were after installing the
> > ipa-client. The only modification was made to sshd_config as  these two
> > lines:
> >
> > AuthorizedKeysCommand  /usr/bin/sss_ssh_authorizedkeys
> > AuthorizedKeysCommandUser nobody
> >
> > I also tried removing the _srv_ in the ipa server line in sssd.conf, but
> > that did not make any difference either.
> >
> > So, in brief:
> >
> > - SSH is fast for local users
> > - authorized keys get retrieved quickly
> > - no DNS issues.
> > - IPA users take from 6 to 30 seconds to login (and also to perform sudo
> > invocations)
> > - While watching ssh logins, for  ipa users, it takes a long time to pass
> > these two:
> >
> >- input_userauth_pk_ok
> >- sign_and_send_pubkey
> >
> > Could someone give me an idea of what to try next?
>
> Please check the SSSD logs especailly the ones for the domain. You might
> need to increase the debug_level, please see
>

[Freeipa-users] Slow SSH login for IPA users only

2015-10-07 Thread Guillem Liarte 
All,

I have an IPA 4.1 installation that works perfectly. We just suffer from
slow logins ( this is also slow in other operations such invoking SUDO )

IPA user:

1st. login: 30 seconds
2nd login: 8 seconds
3rd  login: 6.5 seconds
4rth login: 20 seconds

Local user:

Consistently under 2  seconds

In SSH have tried:

Setting UseDNS to no
Setting GSSAPIAuthentication to no

I have tried various things that would work on an slow SSH, with no effect.
In fact, local users have no problem.

DNS both forward and reverse works well, works fast and gives consistent
results. That is no the issue.

While trying to find out more about the issue, I see that after the client
has connected, it spends most of the time here:

[...]
debug2: input_userauth_pk_ok: fp
e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
debug3: sign_and_send_pubkey: RSA
e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
debug1: Authentication succeeded (publickey).
[...]

At first I though it might be the key retrival from the IPA service, but it
is actually quite fast:

time /usr/bin/sss_ssh_authorizedkeys testuser
real0m0.209s

We have all the configration files just as they were after installing the
ipa-client. The only modification was made to sshd_config as  these two
lines:

AuthorizedKeysCommand  /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

I also tried removing the _srv_ in the ipa server line in sssd.conf, but
that did not make any difference either.

So, in brief:

- SSH is fast for local users
- authorized keys get retrieved quickly
- no DNS issues.
- IPA users take from 6 to 30 seconds to login (and also to perform sudo
invocations)
- While watching ssh logins, for  ipa users, it takes a long time to pass
these two:

   - input_userauth_pk_ok
   - sign_and_send_pubkey

Could someone give me an idea of what to try next?

Thanks!
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Slow SSH login for IPA users only

2015-10-07 Thread Sumit Bose 
On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> All,
> 
> I have an IPA 4.1 installation that works perfectly. We just suffer from
> slow logins ( this is also slow in other operations such invoking SUDO )
> 
> IPA user:
> 
> 1st. login: 30 seconds
> 2nd login: 8 seconds
> 3rd  login: 6.5 seconds
> 4rth login: 20 seconds
> 
> Local user:
> 
> Consistently under 2  seconds
> 
> In SSH have tried:
> 
> Setting UseDNS to no
> Setting GSSAPIAuthentication to no
> 
> I have tried various things that would work on an slow SSH, with no effect.
> In fact, local users have no problem.
> 
> DNS both forward and reverse works well, works fast and gives consistent
> results. That is no the issue.
> 
> While trying to find out more about the issue, I see that after the client
> has connected, it spends most of the time here:
> 
> [...]
> debug2: input_userauth_pk_ok: fp
> e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> debug3: sign_and_send_pubkey: RSA
> e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> debug1: Authentication succeeded (publickey).
> [...]
> 
> At first I though it might be the key retrival from the IPA service, but it
> is actually quite fast:
> 
> time /usr/bin/sss_ssh_authorizedkeys testuser
> real0m0.209s
> 
> We have all the configration files just as they were after installing the
> ipa-client. The only modification was made to sshd_config as  these two
> lines:
> 
> AuthorizedKeysCommand  /usr/bin/sss_ssh_authorizedkeys
> AuthorizedKeysCommandUser nobody
> 
> I also tried removing the _srv_ in the ipa server line in sssd.conf, but
> that did not make any difference either.
> 
> So, in brief:
> 
> - SSH is fast for local users
> - authorized keys get retrieved quickly
> - no DNS issues.
> - IPA users take from 6 to 30 seconds to login (and also to perform sudo
> invocations)
> - While watching ssh logins, for  ipa users, it takes a long time to pass
> these two:
> 
>- input_userauth_pk_ok
>- sign_and_send_pubkey
> 
> Could someone give me an idea of what to try next?

Please check the SSSD logs especailly the ones for the domain. You might
need to increase the debug_level, please see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details.

bye,
Sumit

> 
> Thanks!

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] slow ssh

2012-09-10 Thread Steven Jones 
Hi,

Not sure if this is an IPA issue but Im finding ssh takes long time to login.  
It looks like ssh is querying IPA for authentication mechanisms?...if so can I 
simply turn this off? and if so how?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] slow ssh

2012-09-10 Thread Rob Crittenden 

Steven Jones wrote:

Hi,

Not sure if this is an IPA issue but Im finding ssh takes long time to login.  
It looks like ssh is querying IPA for authentication mechanisms?...if so can I 
simply turn this off? and if so how?


Run in verbose mode to see what it's doing, ssh -vv. It may be trying 
several auth mechanisms which can be slow.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] slow ssh

2012-09-10 Thread Dmitri Pal 
On 09/10/2012 05:16 PM, Steven Jones wrote:
 Hi,

 Not sure if this is an IPA issue but Im finding ssh takes long time to login. 
  It looks like ssh is querying IPA for authentication mechanisms?...if so can 
 I simply turn this off? and if so how?


Is it the problem on the SSH client or on the SSH server?
Can you provide ssh configuration file(s) and sssd.conf?
What version do you use (ssh and sssd)?
Could it be that you tried the tech preview ipa-client SSH integration
feature when installed ipa-client?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] slow ssh

2012-09-10 Thread KodaK 
On Mon, Sep 10, 2012 at 4:16 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
 Hi,

 Not sure if this is an IPA issue but Im finding ssh takes long time to login. 
  It looks like ssh is querying IPA for authentication mechanisms?...if so can 
 I simply turn this off? and if so how?

Slow SSH is (in my experience, anyway) usually a DNS problem.  Are
you using IPA for DNS, or external?  Either way, is reverse DNS
working?

I had an issue recently with users complaining about slow logins, but
it turned out that bind on my primary IPA box died (I have no idea
how.)  Since resolv.conf goes in order, it would hit the primary, time
out, then fail over to the other DNS servers.  Once I restarted bind
everything was fine again.  I'm still investigating what happened, but
there's only so much time in a day.

As for auth mechanisms -- those are defined in your sshd_config, but
why would you want to turn that off?  That's the whole point of IPA.
I'm probably misunderstanding something, though. :)

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] slow ssh

2012-09-10 Thread David Björkevik 
[email re-sent to list]

Hi Steven,

Try

ssh -o GSSAPIAuthentication=no your.host.name

If that doesn't change anything, try adding -v to the command line and
see where the delay is happening.

/David

On 2012-09-10 23:16, Steven Jones wrote:
 Hi,
 
 Not sure if this is an IPA issue but Im finding ssh takes long time to login. 
  It looks like ssh is querying IPA for authentication mechanisms?...if so can 
 I simply turn this off? and if so how?
 
 regards
 
 Steven Jones
 
 Technical Specialist - Linux RHCE
 
 Victoria University, Wellington, NZ
 
 0064 4 463 6272
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] slow ssh

2012-09-10 Thread Steven Jones 
Hi,

It seems to be in my test environment so its probably not a full DNS setup is 
some of the problem.

I didnt select the preview but Ive seen ssh logins that happen without a 
password so I assume that's at least partially why.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Tuesday, 11 September 2012 10:12 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] slow ssh

On 09/10/2012 05:16 PM, Steven Jones wrote:
 Hi,

 Not sure if this is an IPA issue but Im finding ssh takes long time to login. 
  It looks like ssh is querying IPA for authentication mechanisms?...if so can 
 I simply turn this off? and if so how?


Is it the problem on the SSH client or on the SSH server?
Can you provide ssh configuration file(s) and sssd.conf?
What version do you use (ssh and sssd)?
Could it be that you tried the tech preview ipa-client SSH integration
feature when installed ipa-client?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users