[Freeipa-users] login delay with sssd
Jakub Hrozek
jhrozek at redhat.com
Mon Jun 1 14:50:17 UTC 2015
On Mon, Jun 01, 2015 at 03:42:53PM +0100, Ivars Strazdiņš wrote:
> Hi,
> how could I possibly trace why there is a noticeable delay when logging into sssd enabled server?
Using SSSD logs:
https://fedorahosted.org/sssd/wiki/Troubleshooting
> With ssh there is a 2-3 second delay before users logs in. But most users notice this with webmail, which uses dovecot->pam->sssd as authentication backend.
> Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant.
> Client also running Centos 7.1 with sssd.
> Installation as per IPA handbook. DNS is proper (or so I think :) ).
> Nothing special in logs that I could attribute to this problem except maybe that for each successful login there is a pam_unix failure entry in /var/log/secure log like:
> Jun 1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com
> Jun 1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com
>
> But when user is logged in, “id” command result is instantaneous.
The behaviour of id from command line and during login is different.
During login, we always ignore the cache to make sure the group
membership is correct, because in Linux, group membership is only set
during login.
This RFE might be of interest to you:
https://fedorahosted.org/sssd/ticket/1807
We plan on more performance enhancements in the next (1.14) planned
release.
More information about the Freeipa-users
mailing list