Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

Tue, 07 Apr 2015 11:20:12 -0700 

On 04/07/2015 03:05 AM, Jakub Hrozek wrote:

On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote:

On 04/05/2015 12:51 PM, Dmitri Pal wrote:

Several tips.
Please check your DNS configuration.
Such delay is usually caused by the DNS lookups timing out. That means
that the servers probably trying to resolve names against an old DNS
server that is not around. Look at resolve.conf and make sure only valid
DNS servers are there and they are in the proper order.

If this does not help please turn on SSSD debug_level to 10, sanitize
and send the SSSD domain logs and sssd.conf to the list.
More hints can be found here:
https://fedorahosted.org/sssd/wiki/Troubleshooting


DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and
reverse lookups on the IPA server, the target server, and the client. The
only DNS server configured is the IPA server.

I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I
didn't have time to compare if any different information was caught. If you
still need me to specify log level 10 or some other setting, let me know.
The login that these logs are for took 15.371 seconds (checked via 'time ssh
danofs...@yoda.example.lcl exit'

selinux_child.log: http://fpaste.org/207805/
sssd_sudo.log: http://fpaste.org/207806/
sssd_pac.log: http://fpaste.org/207807/
sssd_pam.log: http://fpaste.org/207808/67775142/
sssd_nss.log: http://fpaste.org/207809/
sssd.log: http://fpaste.org/207810/
sssd_example.lcl.log: http://fpaste.org/207811/36832514/


We've recently found a performance problem in the SELinux code. Can you
check if setting:
     selinux_provider = none
improves the performance anyhow?
Adding "selinux_provider = none" to the domain section of /etc/sssd/sssd.conf seems to have drastically improved ssh logins. The Apache authentications are faster, but we're still hitting a performance issue somewhere in that chain. It may be with Apache itself, so stand by...but otherwise, I'm calling this fixed. 

Thanks!

--
Dan Mossor
Systems Engineer at Large
Fedora KDE WG | Fedora QA Team | Fedora Server SIG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to