[Freeipa-users] Slow logins with multi site replication

Jakub Hrozek jhrozek at redhat.com
Tue Aug 2 06:10:37 UTC 2016 

On Mon, Aug 01, 2016 at 02:35:04PM +0000, Neal Harrington | i-Neda Ltd wrote:
> Hi,
> 
> 
> I am experiencing slow logins and sudo authentication for servers joined to my FreeIPA domain. I have been following the other recent thread on slow logins and believe my issue is different.
> 
> 
> I have replication setup with 2 FreeIPA servers at each of 3 sites. The replication is working well and I am able to login correctly on client servers with correct sudo permissions etc. Logins seem to take a long time however. There seems to be some kind of DNS/connection timeout issues, see the example below where the client times out on the auth01 server, then retries and connects. I have also seen it switch to an alternate IPA server on timeout. Total delay in this example is about 10 seconds however it can take longer (approx 30 seconds). It is worth mentioning that client servers in each site cannot connect to IPA servers is a different site - however in the example below the auth01 IPA server is in the same site as the client server. I'm not sure if there is any way to make the IPA clients site aware so they prefer to log in to a local server?
> 
> 
> On the IPA servers themselves there is no noticeable delay and once I have authenticated with sudo once, subsequent attempts in the same login are also near instant. I have not been able to find any reason for this delay in any logs (which probably just means I'm not looking in the right place).
> 
> 
> DNS servers are running on each IPA server and responding well whenever I have tested.
> 
> 
> IPA Servers: CentOS 7.2.1511 running IPA 4.2.0 (from standard CentOS repo)
> 
> Client servers: Ubuntu 14.04 running IPA 3.3.4 (From standard Ubuntu repo)
> 
> 
> Any comments or suggestions greatly appreciated.
> 
> 
> Thanks,
> 
> Neal.
> 
> 
> Example sssd log for a "sudo -l" attempt.
> 
> (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_child_timeout]
> (0x0040): Timeout for child [7430] reached. In case KDC is distant or
> network is slow you may consider increasing value of krb5_auth_timeout.
> (Mon Aug 1 14:39:59 2016) [sssd[be[fqdn.com]]] [krb5_auth_done] (0x0020):
> child timed out!

These debug messages seem to be telling you what the problem is. Have
you tried how long does it take to kinit (preferably with
KRB5_TRACE=/dev/stderr prepended) ?

More information about the Freeipa-users mailing list