[Freeipa-users] Slow SSH login for IPA users only

Guillem Liarte guillem.liarte at googlemail.com
Wed Oct 7 11:23:06 UTC 2015 

Sumit,

Thanks for you reply.

Ues, I have debug enabled: With level 5 I see that here is where it spends
most of its time:

(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
(0x0200): Got request for [0x1][1][name=testuser]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
(0x0200): Got request for [0x1][1][name=testuser]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
(0x0200): Got request for [0x3][1][name=testuser]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Oct  7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success

Note that I removed the real domain name, also to make it a short line.


After  reading in this pots:

https://www.centos.org/forums/viewtopic.php?f=47&t=53652

I actually saw that setting selinux_provider = none improved things quite a
lot.

Still, what is this message:

[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)

?

Regards,

Guillem

On 7 October 2015 at 12:35, Sumit Bose <sbose at redhat.com> wrote:

> On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> > All,
> >
> > I have an IPA 4.1 installation that works perfectly. We just suffer from
> > slow logins ( this is also slow in other operations such invoking SUDO )
> >
> > IPA user:
> >
> > 1st. login: 30 seconds
> > 2nd login: 8 seconds
> > 3rd  login: 6.5 seconds
> > 4rth login: 20 seconds
> >
> > Local user:
> >
> > Consistently under 2  seconds
> >
> > In SSH have tried:
> >
> > Setting UseDNS to no
> > Setting GSSAPIAuthentication to no
> >
> > I have tried various things that would work on an slow SSH, with no
> effect.
> > In fact, local users have no problem.
> >
> > DNS both forward and reverse works well, works fast and gives consistent
> > results. That is no the issue.
> >
> > While trying to find out more about the issue, I see that after the
> client
> > has connected, it spends most of the time here:
> >
> > [...]
> > debug2: input_userauth_pk_ok: fp
> > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > debug3: sign_and_send_pubkey: RSA
> > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > debug1: Authentication succeeded (publickey).
> > [...]
> >
> > At first I though it might be the key retrival from the IPA service, but
> it
> > is actually quite fast:
> >
> > time /usr/bin/sss_ssh_authorizedkeys testuser
> > real    0m0.209s
> >
> > We have all the configration files just as they were after installing the
> > ipa-client. The only modification was made to sshd_config as  these two
> > lines:
> >
> > AuthorizedKeysCommand  /usr/bin/sss_ssh_authorizedkeys
> > AuthorizedKeysCommandUser nobody
> >
> > I also tried removing the _srv_ in the ipa server line in sssd.conf, but
> > that did not make any difference either.
> >
> > So, in brief:
> >
> > - SSH is fast for local users
> > - authorized keys get retrieved quickly
> > - no DNS issues.
> > - IPA users take from 6 to 30 seconds to login (and also to perform sudo
> > invocations)
> > - While watching ssh logins, for  ipa users, it takes a long time to pass
> > these two:
> >
> >    - input_userauth_pk_ok
> >    - sign_and_send_pubkey
> >
> > Could someone give me an idea of what to try next?
>
> Please check the SSSD logs especailly the ones for the domain. You might
> need to increase the debug_level, please see
> https://fedorahosted.org/sssd/wiki/Troubleshooting for details.
>
> bye,
> Sumit
>
> >
> > Thanks!
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151007/3552d566/attachment.htm>

More information about the Freeipa-users mailing list