[Freeipa-users] Slow user logon with IPA

Jakub Hrozek jhrozek at redhat.com
Fri Apr 10 18:48:15 UTC 2015 

On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
> On 04/10/2015 08:13 AM, Mateusz Malek wrote:
> >Hi everyone!
> >
> >I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
> >I've hit some weird performance problems. When I'm using IPA, it takes
> >about 5-7 (or even more) seconds to get shell prompt after entering user
> >password (no matter whether this is local login to FreeIPA server itself
> >or accessing FreeIPA client machine); also, during user logon, ns-slapd
> >processes CPU usage seems to be high. For comparison, in our present
> >environment this transitiion from login to shell is instant.
> >
> >Some details: we have about 1000 user accounts and 200 user groups. We're
> >using (mostly) CentOS 7 virtual machines as servers and Fedora 20 as user
> >workstations. There are also some physical Ubuntu 12.04 servers (our
> >OpenLDAP is hosted there). Slow login occurs in all these (server)
> >configurations I've tried:
> >- FreeIPA on CentOS 7 VM, packages from "stock" repositories (version 4.1)
> >- FreeIPA on CentOS 7 VM, packages from mkosek/freeipa COPR
> >- FreeIPA on Fedora 21 Workstation physical machine, packages from
> >mkosek/freeipa COPR
> >
> >In all cases, machines had 2GB of RAM (exclusively reserved or physical).
> >Virtual machines were tested on two separate VMware vSphere clusters
> >(running different versions of vCenter and ESXi). I have tried using SSSD,
> >pam_krb5 + nss_ldap, pam_ldap + nss_ldap - no luck.
> >
> >I **think** that with FreeIPA 3.3 on CentOS 7, when I tested IPA some time
> >ago, there were no similar issues.
> >
> >Any ideas what can be wrong or how to troubleshoot this?
> 
> Make sure your time is in sync on the server and the client.
> On the client (SSSD) enable verbose logging debug_level = see here
> https://jhrozek.fedorapeople.org/sssd/git/man/sss_debuglevel.8.html
> Do authentication and see where the time is spent by examining the logs.
> Correlate it to the logs on the server.
> 
> If stuck send the logs from SSSD, and KDC/DS on the server and sssd
> configuration to the list for us to inspect.

I spent the better part of today fixing this issue:
    https://fedorahosted.org/sssd/ticket/2624

You might want to check if you're hit by this bug by setting:
    selinux_provider=none
temporarily.

More information about the Freeipa-users mailing list