On Thu, Aug 25, 2016 at 04:11:29PM +0000, Neal Harrington | i-Neda Ltd wrote: > > > Hi, > > > > > > > I am experiencing slow logins and sudo authentication for servers joined > > > to my FreeIPA domain. I have been following the other recent thread on > > > slow logins and believe my issue is different. > > > > > > I have replication setup with 2 FreeIPA servers at each of 3 sites. The > > > replication is working well and I am able to login correctly on client > > > servers with correct sudo permissions etc. Logins seem to take a long > > > time however. There seems to be some kind of DNS/connection timeout > > > issues, see the example below where the client times out on the auth01 > > > server, then retries and connects. I have also seen it switch to an > > > alternate IPA server on timeout. Total delay in this example is about 10 > > > seconds however it can take longer (approx 30 seconds). It is worth > > > mentioning that client servers in each site cannot connect to IPA servers > > > is a different site - however in the example below the auth01 IPA server > > > is in the same site as the client server. I'm not sure if there is any > > > way to make the IPA clients site aware so they prefer to log in to a > > > local server? > > > > > > > > > On the IPA servers themselves there is no noticeable delay and once I > > > have authenticated with sudo once, subsequent attempts in the same login > > > are also near instant. I have not been able to find any reason for this > > > delay in any logs (which probably just means I'm not looking in the right > > > place). > > > > > > > > > DNS servers are running on each IPA server and responding well whenever I > > > have tested. > > > > > > > > > IPA Servers: CentOS 7.2.1511 running IPA 4.2.0 (from standard CentOS repo) > > > > > > Client servers: Ubuntu 14.04 running IPA 3.3.4 (From standard Ubuntu repo) > > > > > > > > > Any comments or suggestions greatly appreciated. > > > > > > > > > Thanks, > > > > > > Neal. > > > > > > > > > Example sssd log for a "sudo -l" attempt. > > > > > > (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_child_timeout] > > > (0x0040): Timeout for child [7430] reached. In case KDC is distant or > > > network is slow you may consider increasing value of krb5_auth_timeout. > > > (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_auth_done] (0x0020): > > > child timed out! > > > > These debug messages seem to be telling you what the problem is. Have > > you tried how long does it take to kinit (preferably with > > KRB5_TRACE=/dev/stderr prepended) ? > > Hi Jakub, > > Thanks for your response and sorry for my delay in replying. kinit takes > between 2 and 25 seconds to complete - the KRB5_TRACE option shows it trying > a random auth server, timing out and trying another random server until it > picks a local server which then completes almost immediately. This seems to > confirm that the problem is simply the server tries to authenticate against a > FreeIPA server that is unreachable and times out causing the randomly slow > logins. Given 6 auth servers with only 2 on each site there is a ~ 10% chance > of hitting 3 bad servers in a row before login succeeds - if each takes 20 > seconds that would explain the random login times of a few sec - 1 minute. > > If I enter the local kdc servers manually in the realm section of krb5.conf > then ssh logins always happen in < 2sec - however I would prefer to avoid the > manual step of configuring and updating this (planning to expand out to a few > hundred servers over 4-5 sites). Manually setting these is likely to lead to > mistakes and it just feels inelegant compared to DNS SRV records. > > I have seen https://www.freeipa.org/page/V4/DNS_Location_Mechanism which > looks good but is a proposal from 2013 with no indications that it has > actually been developed. I was also very interested by > https://www.freeipa.org/page/Howto/IPA_locations which would be perfect - > except the "ipa location-add" commands do not seem to be recognised by my > FreeIPA installs. > > Am I missing a better way to handle the case of multiple locations with > clients in Location A being unable to authenticate against FreeIPA servers at > location B? > > Any suggestions greatly appreciated. > > Thanks, > Neal. >
Petr Spacek (CC) has been working lately in this area, but frankly I don't know what the status is or what a recommendation for current versions might be.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
