[Freeipa-users] Large slow down when using IPA

JR Aquino JR.Aquino at citrix.com
Sat Dec 31 04:19:13 UTC 2011 

On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote:

> I have been slowly rolling out FreeIPA to my systems, trying to track
> differences/changes. One of the most noticeable has been a large slow
> down in file access times.
> 
> Let me explain as best as I can. I use AIDE to track the file system
> (think tripwire) and it runs checks once a day. During these checks it
> is scanning (almost) the entire file system and comparing it to a stored
> database. On a moderately powered system with ~151k files, an AIDE run
> will usually take ~30 minutes. After the system becomes an IPA client
> the same run will generally take ~90-120 minutes. Un-install the
> ipa-client, back to ~30 minutes for an AIDE run.
> 
> Now clearly a lot of lookups are being done for user names and group
> names, and this will have a performance hit that is dependant on the
> network. However, the odd thing is that even when running on the IPA
> server itself the slowdown is still the same.
> 
> Not sure if this is an IPA problem, an SSSD problem, a bit of both, or
> neither, perhaps it is just the way it is, but a slowdown of 3-4x seems
> a bit much to me. Clearly the results are not scientific, however, they
> have been generally reproducible since I started rolling IPA out.
> 
> As a side note this slowdown has also broken bacula backups, as the
> bacula client is scanning the filesystem for change (using accurate
> backups) the director times out.
> 
> Any thoughts, or opinions? Workarounds etc? I have checked to make sure
> that SSSD caching is enabled, and functional.
> 
> Thanks,
> 
> -Erinn

I am assuming that these are all running as local users.

>From the sssd.conf man page in the nss section:

filter_users, filter_groups (string)
           Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the
           particular domain.

           Default: root


Try adding this to your sssd.conf:

[nss]
           filter_groups = root,bacula,aide,otherdaemonuser <-as needed
           filter_users = root,bacula,aide,otherdaemonuser <- as needed

Let me know if that solves your issue.

More information about the Freeipa-users mailing list