[Freeipa-users] Slow ipa performance -- why so many ldap lookups ?
Jakub Hrozek
jhrozek at redhat.com
Thu Mar 21 14:29:38 UTC 2013
On Thu, Mar 21, 2013 at 11:43:55AM +0100, Jan-Frode Myklebust wrote:
> On Wed, Mar 20, 2013 at 02:29:07PM +0100, Jakub Hrozek wrote:
> >
> > I think pasting or attaching SSSD logs would be a good start. Can you
> > put debug_level = 6 into your sssd.conf into the [pam] and [domain]
> > sections restart the sssd and then attach /var/log/sssd/sssd_pam.log and
> > /var/log/sssd/sssd_$domain.log ?
>
> At "Mar 21 11:33:27" I was denied access to this ipa server (and
> client), likely caused by me not getting all groups. Immediately
> afterwads I could successfully log in. Attached are debug_level=6
> logfiles (slightly anonymized by "s/realdomain/example/g").
>
> sssd is configured with "domains = example.net, IPALDAP", where
> example.net is an ipa backend, and IPALDAP is an ldap backend using the
> ipa directory.
>
>
> -jf
I see several failures related to the SELinux processing:
-----------
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success]
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.net]
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.net]
-----------
"4" is an internal error code, it would manifest in your /var/log/secure
as "System Error".
What state is SELinux on the client machine? Are there any AVC denials?
More information about the Freeipa-users
mailing list