[SSSD-users] Re: Slow logons, incomplete information returned

Wed, 20 Sep 2023 13:45:51 -0700

Is there a way you can share some SSSD logs showcasing the slow logins and incomplete id results?
1. Edit /etc/sssd/sssd.conf and add "debug_level = 9" to all bracket sections "[domain/...], [sssd], [pam], etc". 

2. Restart SSSD and clear cache and logs:


  # systemctl stop sssd ; rm -rf /var/log/sssd/* /var/lib/sss/{db,mc}/* 
; systemctl start sssd


3. Reproduce the error.

4. Archive the relevant configs:


  # tar czvpf /tmp/sssd-debug_$(hostname -s)_$(date +%F_%H%M%S).tar.gz 
/var/lib/sss /var/log/{sssd,secure,messages,samba} 
/etc/{ssh/sshd_config,pam.d,nsswitch.conf,krb5.c*,openldap,authselect,hosts,resolv.conf,sssd}


-----------------


Otherwise, I'd try a few tuning parameters to see if it helps to speed 
things up:


[domain/example.com]
ignore_group_members = true
ldap_deref_threshold = 0

[pam]
pam_id_timeout = 30

[nss]
entry_cache_timeout = 10800

------------------


You might also considering mounting the SSSD cache in tmpfs to speed up 
the responsiveness of SSSD for busy machines:


Add the following entry to the /etc/fstab file as a single line:


tmpfs /var/lib/sss/db/ tmpfs 
size=300M,mode=0700,uid=sssd,gid=sssd,rootcontext=system_u:object_r:sssd_var_lib_t:s0 
0 0


Restart SSSD afterwards:


  # systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; mount 
/var/lib/sss/db/ ; systemctl start sssd


On 9/20/23 16:32, Johnnie W Adams wrote:

Hi, folks,

     I've got a double-barrelled problem.


     We're an RHEL shop with mostly RHEL 7 machines authenticating via 
sssd against LDAP which has, for a few weeks now, been undergoing very 
slow logons. Now we are also seeing incomplete information being 
returned from id -G. I've trimmed down a test case to eliminate every 
other variable I can find, and I'm left with sssd as my focal point.



      Any thoughts on where to start with this very puzzling, very 
annoying problem.

_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to