I've attached a tar file of the /var/log/sssd directory, which I hope will carry over. The logon delay is >10 seconds.
On Wed, Sep 20, 2023 at 3:45 PM Striker Leggette <[email protected]> wrote: > Is there a way you can share some SSSD logs showcasing the slow logins > and incomplete id results? > > 1. Edit /etc/sssd/sssd.conf and add "debug_level = 9" to all bracket > sections "[domain/...], [sssd], [pam], etc". > > 2. Restart SSSD and clear cache and logs: > > # systemctl stop sssd ; rm -rf /var/log/sssd/* /var/lib/sss/{db,mc}/* > ; systemctl start sssd > > 3. Reproduce the error. > > 4. Archive the relevant configs: > > # tar czvpf /tmp/sssd-debug_$(hostname -s)_$(date +%F_%H%M%S).tar.gz > /var/lib/sss /var/log/{sssd,secure,messages,samba} > > /etc/{ssh/sshd_config,pam.d,nsswitch.conf,krb5.c*,openldap,authselect,hosts,resolv.conf,sssd} > > ----------------- > > Otherwise, I'd try a few tuning parameters to see if it helps to speed > things up: > > [domain/example.com] > ignore_group_members = true > ldap_deref_threshold = 0 > > [pam] > pam_id_timeout = 30 > > [nss] > entry_cache_timeout = 10800 > > ------------------ > > You might also considering mounting the SSSD cache in tmpfs to speed up > the responsiveness of SSSD for busy machines: > > Add the following entry to the /etc/fstab file as a single line: > > tmpfs /var/lib/sss/db/ tmpfs > size=300M,mode=0700,uid=sssd,gid=sssd,rootcontext=system_u:object_r:sssd_var_lib_t:s0 > > 0 0 > > Restart SSSD afterwards: > > # systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; mount > /var/lib/sss/db/ ; systemctl start sssd > > On 9/20/23 16:32, Johnnie W Adams wrote: > > Hi, folks, > > > > I've got a double-barrelled problem. > > > > We're an RHEL shop with mostly RHEL 7 machines authenticating via > > sssd against LDAP which has, for a few weeks now, been undergoing very > > slow logons. Now we are also seeing incomplete information being > > returned from id -G. I've trimmed down a test case to eliminate every > > other variable I can find, and I'm left with sssd as my focal point. > > > > Any thoughts on where to start with this very puzzling, very > > annoying problem. > -- John Adams Senior Linux/Middleware Administrator | Information Technology Services +1-501-916-3010 | [email protected] | http://ualr.edu/itservices *UA Little Rock* Reminder: IT Services will never ask for your password over the phone or in an email. Always be suspicious of requests for personal information that come via email, even from known contacts. For more information or to report suspicious email, visit IT Security <http://ualr.edu/itservices/security/>.
sssd_logs.tar.gz
Description: GNU Zip compressed data
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
