[Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)
Dan Mossor
danofsatx at gmail.com
Tue Apr 7 18:15:46 UTC 2015
On 04/07/2015 03:05 AM, Jakub Hrozek wrote:
> On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote:
>> On 04/05/2015 12:51 PM, Dmitri Pal wrote:
>>> Several tips.
>>> Please check your DNS configuration.
>>> Such delay is usually caused by the DNS lookups timing out. That means
>>> that the servers probably trying to resolve names against an old DNS
>>> server that is not around. Look at resolve.conf and make sure only valid
>>> DNS servers are there and they are in the proper order.
>>>
>>> If this does not help please turn on SSSD debug_level to 10, sanitize
>>> and send the SSSD domain logs and sssd.conf to the list.
>>> More hints can be found here:
>>> https://fedorahosted.org/sssd/wiki/Troubleshooting
>>>
>> DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and
>> reverse lookups on the IPA server, the target server, and the client. The
>> only DNS server configured is the IPA server.
>>
>> I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I
>> didn't have time to compare if any different information was caught. If you
>> still need me to specify log level 10 or some other setting, let me know.
>> The login that these logs are for took 15.371 seconds (checked via 'time ssh
>> danofsatx at yoda.example.lcl exit'
>>
>> selinux_child.log: http://fpaste.org/207805/
>> sssd_sudo.log: http://fpaste.org/207806/
>> sssd_pac.log: http://fpaste.org/207807/
>> sssd_pam.log: http://fpaste.org/207808/67775142/
>> sssd_nss.log: http://fpaste.org/207809/
>> sssd.log: http://fpaste.org/207810/
>> sssd_example.lcl.log: http://fpaste.org/207811/36832514/
>
> We've recently found a performance problem in the SELinux code. Can you
> check if setting:
> selinux_provider = none
> improves the performance anyhow?
>
Adding "selinux_provider = none" to the domain section of
/etc/sssd/sssd.conf seems to have drastically improved ssh logins. The
Apache authentications are faster, but we're still hitting a performance
issue somewhere in that chain. It may be with Apache itself, so stand
by...but otherwise, I'm calling this fixed.
Thanks!
--
Dan Mossor
Systems Engineer at Large
Fedora KDE WG | Fedora QA Team | Fedora Server SIG
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
More information about the Freeipa-users
mailing list