Re: [Freeipa-users] slow login with freeipa 4.2.0

2016-08-01 Thread Petr Spacek 
On 1.8.2016 09:08, Jakub Hrozek wrote:
> On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote:
>> Thanks Jakub for the detailed analysis... with those inputs , I was able to
>> nail down the issue.
>>
>> I had migrated this host from openldap to freeipa.. However, nslcd daemon
>> was still running and the sylog pointed me to the error "unable to contact
>> the earlier openldap server" and it spent some time there...
>>
>> So, I stopped nslcd and now logins have improved drastically to around 5s
>>
>> date;ssh testuser@localhost
>> Sat Jul 30 08:09:13 UTC 2016
>> testuser@localhost's password:
>> Last login: Sat Jul 30 08:08:55 2016 from 127.0.0.1
>> [p-rakeshpillai@prod1-admintools-1c :~] date
>> Sat Jul 30 08:09:18 UTC 2016
>>
>>
>> For the ipa_hostname entry in sssd.conf, that gets auto populated entered
>> everytime I run ipa-client-install .
>>
>> I run the below command to setup ipa client
>>
>> ipa-client-install --domain=xyz.xom --server=ipa-master-int.xyz.xom
>> --realm=xyz.xom -p admin --password=mypass--mkhomedir --hostname=10.65.16.4
>> --no-ssh --no-sshd -N -f -U

Hostname == IP address will break Kerberos authentication in cases where
client wants to connect using DNS name instead of IP address.

E.g. it will break "ssh user@server" where server is the machine you installed
using the command above.

Petr^2 Spacek

>>
>> Notice that, In the hostname argument, I am passing the IP address. Hope
>> thats fine, its actually working fine on around 2000+ servers in my
>> environment.
> 
> I wonder if this works only by accident. Even if you run
> ipa-client-install --hostname then you'll see in the help this is
> supposed to be FQDN. Kerberos got less picky about hostnames in the
> recent releases, but still..
> 
>>
>> I had earlier tried with servername.domain ( qa-test1.yyz.com as the
>> hostname ) and my servers hostname would get changed to  qa-test1.yyz.com .
>> However, we do our deployments on glassfish and glassfish somehow started
>> having issue everytime we restart glassfish ( not an expert with glassfish
>> ) so not sure whats wrong there.
>>
>> With this approach , my hostname is now my ipaddress and  things are
>> working fine both at galssfish and IPA side.
>> But just want to confirm its ok to do that
>>
>>
>> Thanks,
>> Rakesh
>>
>>
>>
>>
>>
>>
>> On Fri, Jul 29, 2016 at 5:10 PM, Jakub Hrozek  wrote:
>>
>>> On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote:
> Any change that it's running on a VM? If so, check your entropy:

> cat /proc/sys/kernel/random/entropy_avail

> If it's low (like < 1k), install haveged.

 this indeed is vm , am running it on azure . However, I have a similar
>>> set
 up running on aws which works completely fine
>>>
>>> Sorry about the delay in replying..
>>>

 The entropy was low, around 180, I installed haveged and now its above 3k
 cat /proc/sys/kernel/random/entropy_avail
 3178

 The timing though is still the same around 19s
>>>
>>> I have some comments inline about the config and logs.
>>>

 @jakub, i am reattaching the logs.

 The dns resoltion seems fast when I check using dig

 below is my sssd.conf
 [domain/xyz.com]
 selinux_provider=none
 krb5_auth_timeout = 20
 cache_credentials = True
 krb5_store_password_if_offline = True
 ipa_domain = xyz.com
 id_provider = ipa
 auth_provider = ipa
 access_provider = ipa
 ldap_tls_cacert = /etc/ipa/ca.crt
 ipa_hostname = 10.65.16.4
>>>
>>> The ipa_hostname value is wrong. It's meant for systems where hostname
>>> reports a different name that what is the name the host is registered as
>>> in IPA. Including an IP address there doesn't make much sense.
>>>
 chpass_provider = ipa
 ipa_server = ipa-master-in.xyz.com
 dns_discovery_domain = xyz.com
 ignore_group_members=True
 ldap_purge_cache_timeout = 0
 debug_level=8
 [sssd]
 services = nss, sudo, pam, ssh
 config_file_version = 2

 domains = xyz.com
 [nss]
 homedir_substring = /home

 [pam]
 pam_id_timeout = 3

 [sudo]

 [autofs]

 [ssh]

 [pac]

 [ifp]



 And here is the login times and logs

 [root@ipa-client-1 :~] date;ssh testuser@localhost
 Tue Jul 26 12:06:37 UTC 2016
 testuser@localhost's password:
 Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1
 [testuser@ipa-client-1 :~] date
 Tue Jul 26 12:06:55 UTC 2016


 sssd_domain logs

 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler]
 (0x2000): Received SBUS method
 org.freedesktop.sssd.dataprovider.getAccountInfo on path
 /org/freedesktop/sssd/dataprovider
 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send]
 (0x2000): Not a sysbus message, quit
 (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]

Re: [Freeipa-users] slow login with freeipa 4.2.0

2016-08-01 Thread Jakub Hrozek 
On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote:
> Thanks Jakub for the detailed analysis... with those inputs , I was able to
> nail down the issue.
> 
> I had migrated this host from openldap to freeipa.. However, nslcd daemon
> was still running and the sylog pointed me to the error "unable to contact
> the earlier openldap server" and it spent some time there...
> 
> So, I stopped nslcd and now logins have improved drastically to around 5s
> 
> date;ssh testuser@localhost
> Sat Jul 30 08:09:13 UTC 2016
> testuser@localhost's password:
> Last login: Sat Jul 30 08:08:55 2016 from 127.0.0.1
> [p-rakeshpillai@prod1-admintools-1c :~] date
> Sat Jul 30 08:09:18 UTC 2016
> 
> 
> For the ipa_hostname entry in sssd.conf, that gets auto populated entered
> everytime I run ipa-client-install .
> 
> I run the below command to setup ipa client
> 
> ipa-client-install --domain=xyz.xom --server=ipa-master-int.xyz.xom
> --realm=xyz.xom -p admin --password=mypass--mkhomedir --hostname=10.65.16.4
> --no-ssh --no-sshd -N -f -U
> 
> Notice that, In the hostname argument, I am passing the IP address. Hope
> thats fine, its actually working fine on around 2000+ servers in my
> environment.

I wonder if this works only by accident. Even if you run
ipa-client-install --hostname then you'll see in the help this is
supposed to be FQDN. Kerberos got less picky about hostnames in the
recent releases, but still..

> 
> I had earlier tried with servername.domain ( qa-test1.yyz.com as the
> hostname ) and my servers hostname would get changed to  qa-test1.yyz.com .
> However, we do our deployments on glassfish and glassfish somehow started
> having issue everytime we restart glassfish ( not an expert with glassfish
> ) so not sure whats wrong there.
> 
> With this approach , my hostname is now my ipaddress and  things are
> working fine both at galssfish and IPA side.
> But just want to confirm its ok to do that
> 
> 
> Thanks,
> Rakesh
> 
> 
> 
> 
> 
> 
> On Fri, Jul 29, 2016 at 5:10 PM, Jakub Hrozek  wrote:
> 
> > On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote:
> > > > Any change that it's running on a VM? If so, check your entropy:
> > >
> > > > cat /proc/sys/kernel/random/entropy_avail
> > >
> > > > If it's low (like < 1k), install haveged.
> > >
> > > this indeed is vm , am running it on azure . However, I have a similar
> > set
> > > up running on aws which works completely fine
> >
> > Sorry about the delay in replying..
> >
> > >
> > > The entropy was low, around 180, I installed haveged and now its above 3k
> > > cat /proc/sys/kernel/random/entropy_avail
> > > 3178
> > >
> > > The timing though is still the same around 19s
> >
> > I have some comments inline about the config and logs.
> >
> > >
> > > @jakub, i am reattaching the logs.
> > >
> > > The dns resoltion seems fast when I check using dig
> > >
> > > below is my sssd.conf
> > > [domain/xyz.com]
> > > selinux_provider=none
> > > krb5_auth_timeout = 20
> > > cache_credentials = True
> > > krb5_store_password_if_offline = True
> > > ipa_domain = xyz.com
> > > id_provider = ipa
> > > auth_provider = ipa
> > > access_provider = ipa
> > > ldap_tls_cacert = /etc/ipa/ca.crt
> > > ipa_hostname = 10.65.16.4
> >
> > The ipa_hostname value is wrong. It's meant for systems where hostname
> > reports a different name that what is the name the host is registered as
> > in IPA. Including an IP address there doesn't make much sense.
> >
> > > chpass_provider = ipa
> > > ipa_server = ipa-master-in.xyz.com
> > > dns_discovery_domain = xyz.com
> > > ignore_group_members=True
> > > ldap_purge_cache_timeout = 0
> > > debug_level=8
> > > [sssd]
> > > services = nss, sudo, pam, ssh
> > > config_file_version = 2
> > >
> > > domains = xyz.com
> > > [nss]
> > > homedir_substring = /home
> > >
> > > [pam]
> > > pam_id_timeout = 3
> > >
> > > [sudo]
> > >
> > > [autofs]
> > >
> > > [ssh]
> > >
> > > [pac]
> > >
> > > [ifp]
> > >
> > >
> > >
> > > And here is the login times and logs
> > >
> > > [root@ipa-client-1 :~] date;ssh testuser@localhost
> > > Tue Jul 26 12:06:37 UTC 2016
> > > testuser@localhost's password:
> > > Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1
> > > [testuser@ipa-client-1 :~] date
> > > Tue Jul 26 12:06:55 UTC 2016
> > >
> > >
> > > sssd_domain logs
> > >
> > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler]
> > > (0x2000): Received SBUS method
> > > org.freedesktop.sssd.dataprovider.getAccountInfo on path
> > > /org/freedesktop/sssd/dataprovider
> > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send]
> > > (0x2000): Not a sysbus message, quit
> > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info]
> > > (0x0200): Got request for [0x3][1][name=testuser]
> > > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain]
> > > (0x0400): Changing request domain from [xyz.com] to [xyz.com]
> > > (Tue Jul 26 12:06:40 2016)

Re: [Freeipa-users] slow login with freeipa 4.2.0

2016-07-30 Thread Rakesh Rajasekharan 
Thanks Jakub for the detailed analysis... with those inputs , I was able to
nail down the issue.

I had migrated this host from openldap to freeipa.. However, nslcd daemon
was still running and the sylog pointed me to the error "unable to contact
the earlier openldap server" and it spent some time there...

So, I stopped nslcd and now logins have improved drastically to around 5s

date;ssh testuser@localhost
Sat Jul 30 08:09:13 UTC 2016
testuser@localhost's password:
Last login: Sat Jul 30 08:08:55 2016 from 127.0.0.1
[p-rakeshpillai@prod1-admintools-1c :~] date
Sat Jul 30 08:09:18 UTC 2016


For the ipa_hostname entry in sssd.conf, that gets auto populated entered
everytime I run ipa-client-install .

I run the below command to setup ipa client

ipa-client-install --domain=xyz.xom --server=ipa-master-int.xyz.xom
--realm=xyz.xom -p admin --password=mypass--mkhomedir --hostname=10.65.16.4
--no-ssh --no-sshd -N -f -U

Notice that, In the hostname argument, I am passing the IP address. Hope
thats fine, its actually working fine on around 2000+ servers in my
environment.

I had earlier tried with servername.domain ( qa-test1.yyz.com as the
hostname ) and my servers hostname would get changed to  qa-test1.yyz.com .
However, we do our deployments on glassfish and glassfish somehow started
having issue everytime we restart glassfish ( not an expert with glassfish
) so not sure whats wrong there.

With this approach , my hostname is now my ipaddress and  things are
working fine both at galssfish and IPA side.
But just want to confirm its ok to do that


Thanks,
Rakesh






On Fri, Jul 29, 2016 at 5:10 PM, Jakub Hrozek  wrote:

> On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote:
> > > Any change that it's running on a VM? If so, check your entropy:
> >
> > > cat /proc/sys/kernel/random/entropy_avail
> >
> > > If it's low (like < 1k), install haveged.
> >
> > this indeed is vm , am running it on azure . However, I have a similar
> set
> > up running on aws which works completely fine
>
> Sorry about the delay in replying..
>
> >
> > The entropy was low, around 180, I installed haveged and now its above 3k
> > cat /proc/sys/kernel/random/entropy_avail
> > 3178
> >
> > The timing though is still the same around 19s
>
> I have some comments inline about the config and logs.
>
> >
> > @jakub, i am reattaching the logs.
> >
> > The dns resoltion seems fast when I check using dig
> >
> > below is my sssd.conf
> > [domain/xyz.com]
> > selinux_provider=none
> > krb5_auth_timeout = 20
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = xyz.com
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > ipa_hostname = 10.65.16.4
>
> The ipa_hostname value is wrong. It's meant for systems where hostname
> reports a different name that what is the name the host is registered as
> in IPA. Including an IP address there doesn't make much sense.
>
> > chpass_provider = ipa
> > ipa_server = ipa-master-in.xyz.com
> > dns_discovery_domain = xyz.com
> > ignore_group_members=True
> > ldap_purge_cache_timeout = 0
> > debug_level=8
> > [sssd]
> > services = nss, sudo, pam, ssh
> > config_file_version = 2
> >
> > domains = xyz.com
> > [nss]
> > homedir_substring = /home
> >
> > [pam]
> > pam_id_timeout = 3
> >
> > [sudo]
> >
> > [autofs]
> >
> > [ssh]
> >
> > [pac]
> >
> > [ifp]
> >
> >
> >
> > And here is the login times and logs
> >
> > [root@ipa-client-1 :~] date;ssh testuser@localhost
> > Tue Jul 26 12:06:37 UTC 2016
> > testuser@localhost's password:
> > Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1
> > [testuser@ipa-client-1 :~] date
> > Tue Jul 26 12:06:55 UTC 2016
> >
> >
> > sssd_domain logs
> >
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler]
> > (0x2000): Received SBUS method
> > org.freedesktop.sssd.dataprovider.getAccountInfo on path
> > /org/freedesktop/sssd/dataprovider
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send]
> > (0x2000): Not a sysbus message, quit
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x3][1][name=testuser]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain]
> > (0x0400): Changing request domain from [xyz.com] to [xyz.com]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> [sdap_get_initgr_next_base]
> > (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com]
>
> --> A request for user's groups arrived.
>
> > (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server]
> > (0x2000): Searching 10.65.16.4
> > (Tue Jul 26

Re: [Freeipa-users] slow login with freeipa 4.2.0

2016-07-29 Thread Jakub Hrozek 
On Tue, Jul 26, 2016 at 06:07:10PM +0530, Rakesh Rajasekharan wrote:
> > Any change that it's running on a VM? If so, check your entropy:
> 
> > cat /proc/sys/kernel/random/entropy_avail
> 
> > If it's low (like < 1k), install haveged.
> 
> this indeed is vm , am running it on azure . However, I have a similar set
> up running on aws which works completely fine

Sorry about the delay in replying..

> 
> The entropy was low, around 180, I installed haveged and now its above 3k
> cat /proc/sys/kernel/random/entropy_avail
> 3178
> 
> The timing though is still the same around 19s

I have some comments inline about the config and logs.

> 
> @jakub, i am reattaching the logs.
> 
> The dns resoltion seems fast when I check using dig
> 
> below is my sssd.conf
> [domain/xyz.com]
> selinux_provider=none
> krb5_auth_timeout = 20
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = xyz.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = 10.65.16.4

The ipa_hostname value is wrong. It's meant for systems where hostname
reports a different name that what is the name the host is registered as
in IPA. Including an IP address there doesn't make much sense.

> chpass_provider = ipa
> ipa_server = ipa-master-in.xyz.com
> dns_discovery_domain = xyz.com
> ignore_group_members=True
> ldap_purge_cache_timeout = 0
> debug_level=8
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> 
> domains = xyz.com
> [nss]
> homedir_substring = /home
> 
> [pam]
> pam_id_timeout = 3
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> 
> 
> And here is the login times and logs
> 
> [root@ipa-client-1 :~] date;ssh testuser@localhost
> Tue Jul 26 12:06:37 UTC 2016
> testuser@localhost's password:
> Last login: Tue Jul 26 12:03:53 2016 from 127.0.0.1
> [testuser@ipa-client-1 :~] date
> Tue Jul 26 12:06:55 UTC 2016
> 
> 
> sssd_domain logs
> 
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_message_handler]
> (0x2000): Received SBUS method
> org.freedesktop.sssd.dataprovider.getAccountInfo on path
> /org/freedesktop/sssd/dataprovider
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send]
> (0x2000): Not a sysbus message, quit
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_get_account_info]
> (0x0200): Got request for [0x3][1][name=testuser]
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain]
> (0x0400): Changing request domain from [xyz.com] to [xyz.com]
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base]
> (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com]

--> A request for user's groups arrived.

> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_print_server]
> (0x2000): Searching 10.65.16.4
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step]
> (0x0400): calling ldap_search_ext with
> [(&(uid=testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=xyz,dc=com].
> (Tue Jul 26 12:06:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step]
> (0x1000): Requesting attrs: [objectClass]

[...]

> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success (Success)

---> Here the request for user's groups finished. It took about a second
in total.

> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_message_handler]
> (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler
> on path /org/freedesktop/sssd/dataprovider
> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send]
> (0x2000): Not a sysbus message, quit
> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_req_set_domain]
> (0x0400): Changing request domain from [xyz.com] to [xyz.com]
> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100):
> Got request with the following data
> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100):
> command: SSS_PAM_PREAUTH

Preauthentication checks for available login methods...

> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback]
> (0x0100): Backend returned: (0, 0, ) [Success (Success)]
> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback]
> (0x0100): Sending result [0][xyz.com]
> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback]
> (0x0100): Sent result [0][xyz.com]

---> Here the preauth request finished, within a second.

> (Tue Jul 26 12:06:41 2016) [sssd[be[xyz.com]]] [sbus_message_handler]
> (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler
> on path

Re: [Freeipa-users] slow login with freeipa 4.2.0

2016-07-25 Thread Robert Story 
On Mon, 25 Jul 2016 21:23:19 +0530 Rakesh wrote:
RR> Hi,
RR> 
RR> I am facing slow login issue with IPA 4.2.0 version. The login takes around
RR> 18-19s

Any change that it's running on a VM? If so, check your entropy:

 cat /proc/sys/kernel/random/entropy_avail

If it's low (like < 1k), install haveged.


Robert

-- 
Senior Software Engineer @ Parsons


pgperPRYfkDAd.pgp
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] slow login with freeipa 4.2.0

2016-07-25 Thread Jakub Hrozek 
On Mon, Jul 25, 2016 at 09:23:19PM +0530, Rakesh Rajasekharan wrote:
> Hi,
> 
> I am facing slow login issue with IPA 4.2.0 version. The login takes around
> 18-19s
> 
> date;ssh testuser@10.16.32.4
> Mon Jul 25 11:14:54 UTC 2016
> testuser@10.65.32.4's password:
> Last login: Mon Jul 25 11:10:35 2016 from 10.65.16.4
> [testuser@ipa-client-1 :~] date
> Mon Jul 25 11:15:12 UTC 2016

Are you sure the logs correspond to the login attempt? The stamps you
posted are between 11:14:54 and 11:15:12 but the logs below are from a
different time period.

There is a 10 second period in the sssd logs when seemingly nothing
happens.

Does the same delay happen if you su from another non-root account
(ruling out some DNS issues in SSH or similar) ?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project