[Freeipa-users] login delay with sssd
Lukas Slebodnik
lslebodn at redhat.com
Tue Jun 2 06:21:59 UTC 2015
On (01/06/15 15:42), Ivars Strazdiņš wrote:
>Hi,
>how could I possibly trace why there is a noticeable delay when logging into sssd enabled server?
>With ssh there is a 2-3 second delay before users logs in. But most users notice this with webmail, which uses dovecot->pam->sssd as authentication backend.
>Environment is Centos 7.1 and FreeIPA 4.1.0 servers, two redundant.
>Client also running Centos 7.1 with sssd.
>Installation as per IPA handbook. DNS is proper (or so I think :) ).
>Nothing special in logs that I could attribute to this problem except maybe that for each successful login there is a pam_unix failure entry in /var/log/secure log like:
>Jun 1 17:38:36 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com
>Jun 1 17:38:37 mail auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=user1 at company.com rhost=::1 user=user1 at company.com
>
>But when user is logged in, “id” command result is instantaneous.
>All machines have selinux enabled, of course.
How many groups does problematic user have?
Some performance degradation caused by semanage.
Here is an upstream ticket
https://fedorahosted.org/sssd/ticket/2624.
It is already fixed in fedora,
but you can test with prerelease of sssd-1.12.5
https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/
HTH
LS
More information about the Freeipa-users
mailing list