[Freeipa-users] Slow SSH login for IPA users only

Guillem Liarte guillem.liarte at googlemail.com
Fri Oct 9 13:00:56 UTC 2015 

Thanks Sumit.

The version of sssd is 1.12.2-58.el7_1.17

I do not have any AD trusts defined, I suppose I should not see those
messages.

Thanks again.

Guillem

On 9 October 2015 at 14:06, Sumit Bose <sbose at redhat.com> wrote:

> On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote:
> > Sumit,
> >
> > Thanks for you reply.
> >
> > Ues, I have debug enabled: With level 5 I see that here is where it
> spends
> > most of its time:
> >
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x1][1][name=testuser]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback]
> (0x0100):
> > Request processed. Returned 0,0,Success
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x1][1][name=testuser]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback]
> (0x0100):
> > Request processed. Returned 0,0,Success
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> > (0x0200): Got request for [0x3][1][name=testuser]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)]
> > (Wed Oct  7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback]
> (0x0100):
> > Request processed. Returned 0,0,Success
> >
> > Note that I removed the real domain name, also to make it a short line.
> >
> >
> > After  reading in this pots:
> >
> > https://www.centos.org/forums/viewtopic.php?f=47&t=53652
> >
> > I actually saw that setting selinux_provider = none improved things
> quite a
> > lot.
>
> Which SSSD version are you using, this issue was tracked by
> https://fedorahosted.org/sssd/ticket/2624 and should be fixed in recent
> versions of SSSD.
>
> >
> > Still, what is this message:
> >
> > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> > domain SID from [(null)
>
> Those are harmless. If you have trust enabled with with AD we have to
> figure out if the POSIX UID for a user should be calculated based in the
> SID or taken from a suitable LDAP attribute from AD. Since this happen
> in the common code for user lookup it is executed for IPA users as well.
> But I agree that this message is annoying and created
> https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users.
>
> bye,
> Sumit
>
> >
> > ?
> >
> > Regards,
> >
> > Guillem
> >
> > On 7 October 2015 at 12:35, Sumit Bose <sbose at redhat.com> wrote:
> >
> > > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> > > > All,
> > > >
> > > > I have an IPA 4.1 installation that works perfectly. We just suffer
> from
> > > > slow logins ( this is also slow in other operations such invoking
> SUDO )
> > > >
> > > > IPA user:
> > > >
> > > > 1st. login: 30 seconds
> > > > 2nd login: 8 seconds
> > > > 3rd  login: 6.5 seconds
> > > > 4rth login: 20 seconds
> > > >
> > > > Local user:
> > > >
> > > > Consistently under 2  seconds
> > > >
> > > > In SSH have tried:
> > > >
> > > > Setting UseDNS to no
> > > > Setting GSSAPIAuthentication to no
> > > >
> > > > I have tried various things that would work on an slow SSH, with no
> > > effect.
> > > > In fact, local users have no problem.
> > > >
> > > > DNS both forward and reverse works well, works fast and gives
> consistent
> > > > results. That is no the issue.
> > > >
> > > > While trying to find out more about the issue, I see that after the
> > > client
> > > > has connected, it spends most of the time here:
> > > >
> > > > [...]
> > > > debug2: input_userauth_pk_ok: fp
> > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > > > debug3: sign_and_send_pubkey: RSA
> > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > > > debug1: Authentication succeeded (publickey).
> > > > [...]
> > > >
> > > > At first I though it might be the key retrival from the IPA service,
> but
> > > it
> > > > is actually quite fast:
> > > >
> > > > time /usr/bin/sss_ssh_authorizedkeys testuser
> > > > real    0m0.209s
> > > >
> > > > We have all the configration files just as they were after
> installing the
> > > > ipa-client. The only modification was made to sshd_config as  these
> two
> > > > lines:
> > > >
> > > > AuthorizedKeysCommand  /usr/bin/sss_ssh_authorizedkeys
> > > > AuthorizedKeysCommandUser nobody
> > > >
> > > > I also tried removing the _srv_ in the ipa server line in sssd.conf,
> but
> > > > that did not make any difference either.
> > > >
> > > > So, in brief:
> > > >
> > > > - SSH is fast for local users
> > > > - authorized keys get retrieved quickly
> > > > - no DNS issues.
> > > > - IPA users take from 6 to 30 seconds to login (and also to perform
> sudo
> > > > invocations)
> > > > - While watching ssh logins, for  ipa users, it takes a long time to
> pass
> > > > these two:
> > > >
> > > >    - input_userauth_pk_ok
> > > >    - sign_and_send_pubkey
> > > >
> > > > Could someone give me an idea of what to try next?
> > >
> > > Please check the SSSD logs especailly the ones for the domain. You
> might
> > > need to increase the debug_level, please see
> > > https://fedorahosted.org/sssd/wiki/Troubleshooting for details.
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > Thanks!
> > >
> > > > --
> > > > Manage your subscription for the Freeipa-users mailing list:
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > Go to http://freeipa.org for more info on the project
> > >
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151009/cfe85de7/attachment.htm>

More information about the Freeipa-users mailing list