[Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX
Gould, Joshua
Joshua.Gould at osumc.edu
Thu Mar 19 15:05:45 UTC 2015
I¹m seeing ssh logins for AD users take MUCH longer when using SID mapping
vs. POSIX attributes. Both myself and our AD admin would prefer to use SID
mapping. It appears tied to the group lookup at login. There seem to be
many posts about it, but I haven¹t found anything to help much. sssd pegs
the CPU for the 15 or so seconds the login takes.
Ex w/ SID mapping AD trust:
Mar 19 10:48:25 mid-ipa-vp01 sshd[16198]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.134.49.32 user=gould at test.osuwmc
Mar 19 10:48:28 mid-ipa-vp01 sshd[16198]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.134.49.32 user=gould at test.osuwmc
Mar 19 10:48:34 mid-ipa-vp01 sshd[16198]: Accepted password for
goul09 at test.osuwmc from 10.134.49.32 port 56844 ssh2
Mar 19 10:48:38 mid-ipa-vp01 sshd[16198]: pam_unix(sshd:session): session
opened for user goul09 at test.osuwmc by (uid=0)
Ex w/ POSIX AD trust
Mar 16 14:27:52 mid-ipa-vp01 sshd[13723]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.134.49.96 user=gould at test.osuwmc
Mar 16 14:27:55 mid-ipa-vp01 sshd[13723]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.134.49.96 user=gould at test.osuwmc
Mar 16 14:28:01 mid-ipa-vp01 sshd[13723]: Accepted password for
gould at test.osuwmc from 10.134.49.96 port 61401 ssh2
Mar 16 14:28:05 mid-ipa-vp01 sshd[13723]: pam_unix(sshd:session): session
opened for user goul09 at test.osuwmc by (uid=0)
Exact same sssd.conf file for both configs.
[domain/unix.test.osuwmc]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = unix.test.osuwmc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mid-ipa-vp01.unix.test.osuwmc
chpass_provider = ipa
ipa_server = mid-ipa-vp01.unix.test.osuwmc
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_referrals = false
#[domain/test.osuwmc]
[sssd]
services = nss, sudo, pam, ssh, pac
config_file_version = 2
domains = unix.test.osuwmc
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
More information about the Freeipa-users
mailing list