[Freeipa-users] IDM/ipa slow login

seli irithyl seli.irithyl at gmail.com
Wed Aug 12 15:21:50 UTC 2015 

if I ssh with an ipa user, authentication hangs on "we sent a
gssapi-with-mic packet, wait for reply" from 5s to 10s
if I ssh with local user, auth is nearly immediate (less than 1s)


>From a client :
[test at argon ~]$ time id test
uid=1713400050(test) gid=1713400050(test)
groups=1713400050(test),1713400004(bioinfo)

real    0m2.269s
user    0m0.001s
sys    0m0.004s

[test at argon ~]$ time id test
uid=1713400050(test) gid=1713400050(test)
groups=1713400050(test),1713400004(bioinfo)

real    0m0.005s
user    0m0.002s
sys    0m0.003s


[test at argon ~]$ time ipa user-find test
--------------
1 user matched
--------------
  User login: test
  First name: test
  Last name: user
  Home directory: /home/test
  Login shell: /bin/bash
  Email address: test at bioinf.local
  UID: 1713400050
  GID: 1713400050
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

real    0m1.464s
user    0m0.348s
sys    0m0.062s


Following the guide you sent me:
On the server:

[root at lead sssd]# systemctl status sssd
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Wed 2015-08-12 16:55:50 CEST; 11min ago
  Process: 6495 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
 Main PID: 6496 (sssd)
   CGroup: /system.slice/sssd.service
           ├─6496 /usr/sbin/sssd -D -f
           ├─6497 /usr/libexec/sssd/sssd_be --domain bioinf.local --uid 0
--gid 0 --debug-to-files
           ├─6498 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0
--debug-to-files
           ├─6499 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0
--debug-to-files
           ├─6500 /usr/libexec/sssd/sssd_autofs --uid 0 --gid 0
--debug-to-files
           ├─6501 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0
--debug-to-files
           ├─6502 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0
--debug-to-files
           └─6503 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0
--debug-to-files

Aug 12 16:55:50 lead.bioinf.local sssd[autofs][6500]: Starting up
Aug 12 16:55:50 lead.bioinf.local sssd[pam][6499]: Starting up
Aug 12 16:55:50 lead.bioinf.local sssd[sudo][6502]: Starting up
Aug 12 16:55:50 lead.bioinf.local sssd[ssh][6501]: Starting up
Aug 12 16:55:50 lead.bioinf.local sssd[pac][6503]: Starting up
Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1
Aug 12 16:55:50 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1
Aug 12 16:55:50 lead.bioinf.local systemd[1]: Started System Security
Services Daemon.
Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 1
Aug 12 16:55:51 lead.bioinf.local sssd_be[6497]: GSSAPI client step 2


[root at lead sssd]# more /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount: files

aliases:    files


[root at lead sssd]# date
Wed Aug 12 17:09:50 CEST 2015
[root at lead sssd]# systemctl restart sssd
[root at lead sssd]# getent passwd test
test:*:1713400050:1713400050:test user:/home/test:/bin/bash


sssd_nss.log:
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_responder_ctx_destructor]
(0x0400): Responder is being shut down
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [confdb_get_domain_internal]
(0x0400): No enumeration for [bioinf.local]!
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400):
Adding connection 0x7ff00ae60ec0
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [monitor_common_send_id] (0x0100):
Sending ID: (nss,1)
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100):
Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using
fq format [%1$s@%2$s].
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sbus_init_connection] (0x0400):
Adding connection 0x7ff00ae60b00
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_common_send_id] (0x0100):
Sending ID to DP: (1,NSS)
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sysdb_domain_init_internal]
(0x0200): DB File for bioinf.local: /var/lib/sss/db/cache_bioinf.local.ldb
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to
register control with rootdse!
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_process_init] (0x0400):
Responder Initialization complete
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/bioinf.local/root] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'polkitd' matched without domain, user is polkitd
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/bioinf.local/polkitd] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'avahi' matched without domain, user is avahi
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/bioinf.local/avahi] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'colord' matched without domain, user is colord
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/bioinf.local/colord] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'rtkit' matched without domain, user is rtkit
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/bioinf.local/rtkit] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'pulse' matched without domain, user is pulse
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/bioinf.local/pulse] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'gdm' matched without domain, user is gdm
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/bioinf.local/gdm] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'postfix' matched without domain, user is postfix
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/bioinf.local/postfix] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/bioinf.local/root] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'polkitd' matched without domain, user is polkitd
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/bioinf.local/polkitd] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'avahi' matched without domain, user is avahi
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/bioinf.local/avahi] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'colord' matched without domain, user is colord
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/bioinf.local/colord] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'rtkit' matched without domain, user is rtkit
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/bioinf.local/rtkit] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'pulse' matched without domain, user is pulse
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/bioinf.local/pulse] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'gdm' matched without domain, user is gdm
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/bioinf.local/gdm] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'postfix' matched without domain, user is postfix
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/bioinf.local/postfix] to negative cache permanently
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found
shell /bin/sh in /etc/shells
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found
shell /bin/bash in /etc/shells
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found
shell /sbin/nologin in /etc/shells
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found
shell /usr/bin/sh in /etc/shells
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found
shell /usr/bin/bash in /etc/shells
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found
shell /usr/sbin/nologin in /etc/shells
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found
shell /bin/tcsh in /etc/shells
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found
shell /bin/csh in /etc/shells
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100):
Maximum file descriptors set to [8192]
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100):
Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using
fq format [%1$s@%2$s].
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS
Initialization complete
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x7ff00a44a670:domains at bioinf.local]
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400):
Sending get domains request for [bioinf.local][]
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x7ff00a44a670:domains at bioinf.local]
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id
ack and version (1) from DP
(Wed Aug 12 17:09:56 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack
and version (1) from Monitor
(Wed Aug 12 17:09:59 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x7ff00a44a670:domains at bioinf.local]
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17] with input [root].
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [root] from [<ALL>]
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400):
User [root] does not exist in [bioinf.local]! (negative cache)
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080):
No matching domain found for [root], fail!
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [38] with input [root].
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'root' matched without domain, user is root
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [root] from [<ALL>]
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0400): User [root] does not exist in [bioinf.local]! (negative cache)
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0080): No matching domain found for [root], fail!
(Wed Aug 12 17:10:01 2015) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17] with input [test].
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'test' matched without domain, user is test
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [test] from [<ALL>]
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [test at bioinf.local]
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [check_cache] (0x0400): Cached entry
is valid, returning..
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400):
Returning info for user [test at bioinf.local]
(Wed Aug 12 17:10:02 2015) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!

sssd.conf:
[sssd]
debug_level = 6
config_file_version = 2
services = nss, pam, autofs, ssh, sudo
domains = bioinf.local

[nss]
debug_level = 6
filter_users = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix
filter_groups = root, polkitd, avahi, colord, rtkit, pulse, gdm, postfix
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
debug_level = 6

[domain/bioinf.local]
enumerate = false
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = bioinf.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = lead.bioinf.local
chpass_provider = ipa
ipa_server = _srv_, lead.bioinf.local
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_lifetime = 1d
krb5_renewable_lifetime = 7d
krb5_renew_interval = 3600


[ssh]
debug_level = 6

[autofs]
debug_level = 6

[sudo]


On Tue, Aug 11, 2015 at 1:39 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote:
> > Hi,
> >
> > I inherited a server (the guy that built it left) running centos 7 and
> > Identity Management (Kerberos, 389DS, ...) with NFS.
> > Everything concerning login (with network accounts) is very slow (
> several
> > seconds)
> > I already solved a lot of problems on this server(DNS, NTP, firewall,
> ...),
> > but I am neither a sysadmin nor a linux guru and I don't know where and
> > what to look for ?
> > Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ...
>
> Can you define "slow" better? Can you estimate how big is your
> environment?
>
> I would start by comparing the time it takes to search the entry in LDAP
> or kinit with login through GDM or SSH. Then, if the times differ, look
> into SSSD. Some pointers are here:
>     https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150812/cb8810d1/attachment.htm>

More information about the Freeipa-users mailing list